UIDAI CEO Bhuvnesh Kumar on securing the digital identity of over billion Indians

Time of India

24-04-2025

As of January 2025, over 100 crore face-authentication transactions were recorded in India—proof of how deeply
Aadhaar
has become embedded in the country's digital and financial ecosystem. Behind this scale and sophistication is the Unique Identification Authority of India (
UIDAI
), which continues to evolve the Aadhaar platform to meet emerging technological, legal, and societal challenges.
In this wide-ranging interview,
Bhuvnesh Kumar, Chief Executive Officer of Unique Identification Authority of India - UIDAI
, speaks to
Anoop Verma
, Editor-News, ETGovernment, about how Aadhaar is being continually fortified through artificial intelligence,
biometric liveness detection
, and blockchain-based verifications.
From empowering women through financial independence to ensuring last-mile delivery in remote areas via fingerprint-enabled doorstep banking, Kumar offers a comprehensive look into how UIDAI is building a secure, inclusive, and future-ready identity infrastructure for over a billion Indians.
Edited excerpts:
Aadhaar has been instrumental in financial inclusion. How has it impacted India's unbanked population and Direct Benefit Transfers (DBT)?
Aadhaar has played a transformative role in advancing financial inclusion in India. Over 50 crore bank accounts were opened under the Pradhan Mantri Jan Dhan Yojana (PMJDY), a milestone made possible through Aadhaar-based eKYC. This method of electronic Know Your Customer verification is fast, non-repudiable, and highly cost-effective, significantly accelerating the onboarding of new customers for banking services. As a result, India has achieved near-universal financial inclusion in terms of bank account proliferation.
When Aadhaar was conceptualized in 2009, only about 17% of India's population had bank accounts. By 2024, approximately 95% of the population—virtually 100% of adults—possessed an Aadhaar number, and bank account ownership had surged to 77%.
Aadhaar authentication
has also helped eliminate around 100 million fake or ghost beneficiaries, enabling the government to deposit subsidies and benefits directly into the accounts of verified individuals. This direct benefit transfer mechanism has led to cumulative savings of ₹3,72,546 crore by March 2025. Once linked to a bank account, Aadhaar becomes a financial address for the holder, allowing precise and efficient delivery of welfare schemes to the rightful beneficiaries.
How does UIDAI ensure that people in rural areas, who may have limited access to technology, can still use Aadhaar effectively?
UIDAI has implemented several measures to bridge the digital divide in rural India, ensuring Aadhaar's accessibility even in areas with limited technological infrastructure. The Aadhaar-enabled Payment System (AePS) has proven particularly effective, allowing individuals to access their Aadhaar-linked bank accounts using just their fingerprints. Through door-step banking services provided by "bank mitras," residents can carry out transactions from the comfort of their homes, overcoming barriers such as lack of smartphones or internet access.
Fingerprint-based Aadhaar authentication is also widely used for accessing a variety of government services, especially in-kind benefits like the Public Distribution System (PDS), which has emerged as one of the largest platforms for Aadhaar-based identity verification. Moreover, UIDAI has introduced offline verification options, including QR code-based Aadhaar services, which enable identity verification even in areas with poor or no internet connectivity, thereby ensuring inclusivity in remote regions.
What are the challenges in Aadhaar enrollment for vulnerable populations such as the elderly, disabled, and homeless individuals, and how is UIDAI addressing them?
UIDAI has instituted multiple provisions to address enrolment challenges faced by vulnerable populations, ensuring that no eligible individual is left out due to physical or biometric limitations. Under its Biometric Exception Enrolment Guidelines issued on August 1, 2014, UIDAI allows enrollment for individuals who cannot provide biometric data such as fingerprints or iris scans due to reasons like injury, old age, leprosy, or other conditions. If only one biometric—either fingerprint or iris—is available, it is used for enrolment; if neither can be captured, enrolment still proceeds based on demographic details, with specific notations in the system and a supervisor's validation.
Photographs highlighting the biometric exception are also required, ensuring documentation is thorough. Additionally, UIDAI has issued advisories to all registrars and enrolment agencies, urging them to train operators on handling exceptional cases with care and empathy.
For those unable to visit enrolment centres, UIDAI offers home enrolment services on a chargeable basis, particularly for senior citizens, bedridden individuals, and persons with disabilities. Applicants must submit supporting documentation, including a medical certificate or disability ID, to the nearest UIDAI Regional Office. UIDAI also conducts regular enrolment camps to reach and serve vulnerable populations across the country.
There have been concerns about Aadhaar-related exclusions in welfare schemes. How does UIDAI work with the government to ensure benefits reach the intended beneficiaries?
UIDAI is committed to ensuring that Aadhaar does not become a barrier to accessing welfare benefits. For schemes governed under Section 7 of the Aadhaar Act, 2016, Aadhaar authentication is not mandatory for availing benefits. In cases where Aadhaar authentication is not feasible, beneficiaries are allowed to establish their identity through alternate means. While UIDAI provides the technological backbone for identity verification, it is the responsibility of the implementing agencies to formulate clear policy guidelines allowing such alternatives, thereby ensuring that no eligible beneficiary is denied service due to Aadhaar-related challenges.
How does Aadhaar empower women, particularly in terms of financial independence and access to government schemes?
Aadhaar has significantly contributed to empowering women by facilitating a shift from family-based to individual-based bank accounts. Aadhaar-based eKYC has made it possible for women to open their own bank accounts quickly and securely, which is now a prerequisite for receiving Direct Benefit Transfers (DBTs). As government welfare benefits are now transferred directly to the individual's account, women beneficiaries are ensured direct and independent access to financial resources. This direct ownership of funds has enhanced their ability to make financial decisions, thereby fostering greater economic independence and contributing to their empowerment.
What technological advancements are being integrated into Aadhaar to enhance security and authentication?
To enhance security within the authentication ecosystem, biometric spoof detection techniques based on artificial intelligence and machine learning models are being integrated into fingerprint devices by respective vendors. Additionally, biometric matching and liveness detection models for both face and fingerprint modalities are regularly trained using the latest datasets. UIDAI is also progressing toward implementing liveness detection for iris-based devices, further strengthening the overall biometric security infrastructure.
UIDAI is actively deploying AI and ML technologies to detect and prevent identity fraud across multiple fronts. One live project involves an AI-ML model that analyzes biometric enrolment and update patterns to identify fraudulent activities, such as flipped or partial IRIS submissions and mixed biometrics. The system flags anomalies and potential fraud cases. AI also extracts URLs from QR codes to validate credentials against whitelisted sources like official birth certificate issuers. A face-matching system integrated with liveness detection helps prevent spoofing through photos or videos. The SEDA system further enhances security by performing 1:N face deduplication and cross-matching with Bureau of Immigration records to prevent fraudulent enrolments by foreigners. Additionally, an AI-based age prediction model is in canary mode to detect age-related fraud.
In the short term, projects in the pipeline include AI-driven photo matching from submitted documents to reduce dependency on human operators, and OCR-based data extraction to automate document verification. Long-term plans involve developing an indigenous Automated Biometric Identification System (ABIS) for large-scale deduplication using AI, along with state-wise Bharat DeDupe initiatives to eliminate database duplicates. Liveness detection for face, fingerprint, and iris is also being planned to prevent biometric spoofing. These efforts aim to significantly enhance the reliability and security of Aadhaar's identity verification system.
Are there plans to incorporate blockchain technology to further secure Aadhaar data?
UIDAI currently operates a centralized identity platform based on the Central Identities Data Repository (CIDR) for enrolment validation, authentication, and biometric verification. However, it is also exploring blockchain-based solutions for offline Aadhaar verification. Blockchain, with its decentralized trust model, allows for verifiable credentials where authentication can occur without direct connectivity to CIDR. This approach can enhance data immutability, auditability, and enable secure offline verification through cryptographic proofs. While this could reduce dependency on real-time queries and increase trust, challenges such as scalability, governance, and compliance need to be addressed to align with UIDAI's operational structure.
Given the increasing cyber threats, what new security protocols are being developed to protect Aadhaar users?
UIDAI has adopted a security and privacy-by-design approach in building the Aadhaar ecosystem. Key security measures include consent-based access to Aadhaar Number Holder (ANH) data, available only to the ANH and authorized Requesting Entities (REs). Data is encrypted both at rest and in transit, ensuring protection throughout its lifecycle. Users can generate a Virtual ID (VID) instead of sharing their Aadhaar number, and they also have the ability to lock and unlock their biometrics to prevent misuse. UIDAI has developed an AI/ML-powered authentication system to detect fraud and continuously reviews and audits the security of CIDR to safeguard its systems. To future-proof against evolving threats, enhancements to encryption protocols are underway to mitigate post-quantum risks, alongside the rollout of a scaled-up fraud management system.
How does UIDAI ensure the reliability of biometric authentication, especially for individuals facing fingerprint or iris recognition failures?
To address authentication challenges related to fingerprint and iris recognition failures, UIDAI is increasingly promoting the use of face authentication, which has shown higher success rates and greater resilience to functional issues. Face authentication is particularly effective in cases where fingerprint quality is poor or iris scanning faces technical hurdles. As of January 2025, face-based authentication has crossed the 100-crore transaction mark, with an average of 45 to 50 lakh daily transactions, indicating its growing adoption and reliability across the Aadhaar ecosystem.
How does UIDAI ensure compliance with legal frameworks, especially after the Supreme Court's rulings on Aadhaar?
The Supreme Court's 2018 ruling in the Justice K.S. Puttaswamy (Retd.) vs. Union of India case was a landmark decision that defined the legal boundaries for Aadhaar's operation, particularly in relation to privacy and data security. In response, UIDAI undertook several measures to align its operations with the Court's directives.
The ruling emphasized that Aadhaar usage for non-government services like mobile phone connections and bank accounts must be voluntary. It also mandated strict safeguards for data security and privacy, prohibiting data sharing without individual consent. To comply, UIDAI amended the Aadhaar Act through the Aadhaar and Other Laws (Amendment) Act, 2019. Key provisions included redefining the Aadhaar number to incorporate Virtual ID (VID), allowing voluntary use of physical or electronic Aadhaar for authentication or offline verification, and mandating parental consent for child enrolments. Only entities adhering to prescribed privacy and security standards can now use Aadhaar authentication, and offline verifications are also subject to stringent restrictions on data sharing.
Further safeguards include the requirement for judicial orders (from a High Court judge) for accessing identity information under Section 33(1) of the Aadhaar Act, and increased penalties for non-compliance. A new Chapter VIA introduced civil penalties and a framework for adjudication and appeals, while amendments to Section 47 empowered Aadhaar holders to file complaints against privacy violations.
UIDAI is also adapting to newer legal developments. Following the enactment of the Digital Personal Data Protection Act, 2023, and the upcoming rules under it, UIDAI is assessing and updating its technological and legal systems to ensure full compliance with the new data protection regime.
What steps has UIDAI taken to ensure Aadhaar data is used responsibly by government and private entities?
UIDAI has implemented a robust set of measures to ensure responsible use of Aadhaar data by both government and private entities. The Aadhaar Act, 2016 serves as the legal foundation, clearly stipulating that data can only be used for authorized purposes with the explicit consent of the Aadhaar holder. The Act also enforces penalties for any misuse.
To protect user privacy, the authentication process is designed to share only the minimum required information, and users are informed of the purpose during authentication. Advanced encryption techniques secure biometric and demographic data both during storage and transmission. To further enhance privacy, UIDAI introduced Virtual ID (VID), which allows users to authenticate without revealing their actual Aadhaar number. The Limited KYC mechanism ensures only essential data is shared with service providers.
Tokenization is another layer of security, replacing Aadhaar numbers with unique tokens for each transaction. UIDAI conducts regular audits of all entities using Aadhaar data to ensure compliance with its stringent privacy and security norms. Non-compliant organizations may face suspension or revocation of their access rights.
In addition, the Aadhaar Data Vault policy mandates that Aadhaar numbers be stored in encrypted form within a highly secure environment. UIDAI operates within a broader legal framework that includes the Information Technology Act, 2000, and the Aadhaar (Sharing of Information) Regulations, 2016, which govern the conditions for information sharing and the responsibilities of data handlers. Together, these measures ensure a high standard of accountability in the use of Aadhaar data.
How does UIDAI regulate Aadhaar-based authentication services to prevent unauthorized use?
UIDAI maintains a comprehensive regulatory framework to prevent unauthorized use of Aadhaar authentication services. The Aadhaar Act, 2016 provides the legal foundation, mandating that authentication can only occur with the explicit consent of the Aadhaar holder. Unauthorized use or data sharing is a punishable offense.
To ensure compliance, UIDAI operates a three-tiered audit mechanism, conducting regular audits of entities using Aadhaar data. Entities found in violation of UIDAI's standards may face penalties, suspension, or de-boarding from Aadhaar facilities.
Further, UIDAI requires all requesting entities designated as Authentication User Agencies (AUA), e-KYC User Agencies (KUA), and Authentication Service Agencies (ASA) to sign formal agreements. Sub-entities (Sub-AUA/Sub-KUA) are also required to enter joint undertakings. These agreements include strict policy guidelines governing Aadhaar use, and any failure to comply can lead to financial disincentives, penalties, or removal from UIDAI's ecosystem.
With the rise of digital identities globally, how does UIDAI benchmark Aadhaar's technological infrastructure against similar systems worldwide?
Following the successful implementation of Aadhaar, numerous developed and developing countries have recognized digital identity as a foundational digital public infrastructure (DPI) for effective governance. To stay aligned with global advancements, UIDAI actively monitors evolving technologies such as verifiable credentials, selective disclosure mechanisms, and digital identity wallets. However, any adoption of these enhancements is done in a carefully calibrated manner to ensure adherence to UIDAI's core principles of simplicity, inclusivity, and security, without compromising the integrity of its identity framework.