eKYC – AADHAAR slowly moving to reality.

English: Diagram illustrating how a simple dig...
English: Diagram illustrating how a simple digital signature is applied and verified. (Photo credit: Wikipedia)


Over 19.50crs Aadhaar numbers have already been issued, and the number is increasing day by day.

Hence, every fortnight, there is a new development on the UIDA-Aadhaar front.  The quicker the ecosystem is in place, the faster will the benefits be visible.

The digitally stored data can only be useful when it can be employed as an Authentication tool. The authentication can be for the ‘identity’, or ‘data’ against the particular Aadhaar number.

Hence today’s post is on the eKYC concept. Yes, the physical KYC (Know Your Customer) process can be migrated to the electronic mode.

In August 2012, UIDAI released the API SPECIFICATION – VERSION 1.0 (DRAFT) outlining in detail the approach to be adopted by Software Companies to incorporate Aadhaar eKYC API into their applications.

The simple purpose of Aadhaar Authentication is to enable Aadhaar-holders to digitally prove their identity. The Authentication is done online.

The eKYC process flow:

a)    The interested resident authorizes UIDAI (through Aadhaar authentication) to provide their basic demographic data for PoI (Proof of Identity)  and PoA (Proof of Address)  along with their photograph (digitally signed) to service providers.

b)   The resident’s record is first selected using the Aadhaar Number and then the demographic/biometric inputs are matched against the stored data which was provided by the resident during enrolment/update process.  Another option for authentication can be done on the basis of the OTP sent to the registered mobile number.

c)     KYC front-end application captures Aadhaar number + biometric/OTP of resident.

d)    KUA forms the Auth XML using the PID block, signs it, and uses that to form KYC XML and signs it (if this is delegated to KSA, KSA also could form the KYC XML and sign it) sends to KSA

e)     KSA forwards the KYC XML (if KSA forms the KYC XML on behalf of KUA, KSA needs to form the KYC XML, and sign it) to Aadhaar KYC API

f)     Aadhaar KYC service authenticates the resident and if successful responds with digitally signed and encrypted demographic and photograph in XML format

g)     Demographic data and photograph in response is encrypted with either KSA or KUA public key (based on the setup at CIDR)

h)    KSA sends the response back to KUA enabling paper-less electronic KYC

i)     For security reason data collected for Aadhaar KYC must not be stored in the devices or log files. It’s essential for ASA and AUA to maintain audit records for all the authentication request metadata along with the response

j)    KYC front-end application must ensure it takes an explicit “resident consent” authorizing the AUA to retrieve the resident data. Only if the resident has provided the consent (in the application UI, either in self-service mode or operator should prompt the resident and get consent), this should be populated as “Y”. No other values are valid.

k)    The process can be for confirmation of proof of identity or confirmation of the information provided by the resident.

l)     Resident’s privacy is of utmost importance, hence in the Aadhaar authentication service can only respond with a ‘yes/no’ nothing more, nothing less.

m)  No Personal Identity Information is returned as part of the response.

The Response:

  • The encrypted response is just “0” or “-1”.
  • If the status is “0”, it means that the encrypted response data is valid.
  • If the status is “-1”, it means the data should not be decrypted and used
  • There will be a unique alphanumeric response code for each request received by CIDR.
  • The AUA is expected to store this for future reference for handling any disputes.
  • Aadhaar KYC server will retain KYC trail only for a short period of time as per UIDAI policy.


Like all digital interaction, there are failure chances too.

In case of a failure, an error code is generated. Typical failure codes are:

  • “K-100” – Resident authentication failed
  • “K-200” – Resident data currently not available
  • “K-540” – Invalid KYC XML
  • “K-541” – Invalid KYC API version
  • “K-542” – Invalid resident consent (“rc” attribute in “Kyc” element)
  • “K-543” – Invalid timestamp (“ts” attribute in “Kyc” element)
  • “K-544” – Invalid resident auth type (“ra” attribute in “Kyc” element does not match what is in PID block)
  • “K-545” – Resident has opted-out of this service
  • “K-551” – Invalid “Txn” namespace
  • “K-569” – Digital signature verification failed for KYC XML (means that authentication request XML was modified after it was signed)
  • “K-570” – Invalid key info in digital signature for KYC XML (it is either expired, or does not belong to the AUA or is not created by a well-known Certification Authority)
  • “K-600” – AUA is invalid or not an authorized KUA
  • “K-601” – ASA is invalid or not an authorized KSA
  • “K-602” – KUA encryption key not available
  • “K-603” – KSA encryption key not available
  • “K-999” – Unknown error (the most famous of all errors!!!)

Legal Framework: UIDAI will develop necessary legal framework and processes around the Aadhaar e-KYC service. These documents will also specify KUA/KSA eligibility criteria, registration process, and the operating model.

Aadhaar eKYC API Usage: The eKYC API can be used (only with the explicit authorization of the resident) by an agency to obtain latest resident demographic data and photo data from UIDAI. There are primarily two scenarios under which this API may be used:

1. New customer/beneficiary:

a. In this case, KUA should use capture resident authentication data, invoke e-KYC API through a KSA network;

b. The KYC data returned within the response of the e-KYC API is digitally signed by UIDAI and can be used for electronic audit at a later stage; and

c. Using the resident data obtained through this KYC API, the agency can service the customer.

2. Existing customer/beneficiary

a. In this case, KUA should use capture resident authentication data, invoke e-KYC API through a KSA network;

b. The KYC data returned within the response of the KYC API is digitally signed by UIDAI and can be used for electronic audit;

c. Since the resident is already a customer/beneficiary, the agency can use a simple workflow to approve the Aadhaar linkage by comparing data retrieved through the e-KYC API against what is on record (in paper or electronic form); and

d. Once verified, the existing customer/beneficiary record can be linked to the Aadhaar number.


In layman terms:

API – API is the abbreviation for Application Program Interface. API can said to be the building blocks available to the Software Programmer to develop a good software application.

All software operating environments have to provide an API on public domain to boost their usage of the respective operating environment. The API’s are primarily targeted towards programmers, but are good for the end users too, as any software program developed with a common API will have related interfaces. This makes it easier for users to embrace new programs quickly.

ASA – Authentication Service Agency.  This is an agency which has already established secure leased line connectivity to the UIDAI CIDR (Central Information Data Repository).  KYC Service Agency (KSAs) are ASAs that are eligible to provide access to the e-KYC service through their network.

AUA – Authentication User Agency. This is an agency which enters into an agreement with UDIAI to function as an UIDAI-Aadhaar Authentication agency. KYC User Agency (KUAs) are AUAs that are eligible for the e-KYC service.

CIDR -Central Identities Data Repository. This is the UIDAI repository wherein all the Aadhaar data is stored.


Re-dessiminated by Prashant N. Banker by daytime, Blogger by night.

2 thoughts on “eKYC – AADHAAR slowly moving to reality.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s