Using Aadhaar (India’s biometric authentication system) to verify a person’s identity is relatively secure, but using it to authenticate a transaction is extremely problematic. Every other form of authentication is bound to a specific transaction: I sign a document, I put my thumb impression to a document, I digitally sign a document (or message as the cryptographers prefer to call it). In Aadhaar, I put my thumb (or other finger) on a finger print reading device, and not on the document that I am authenticating. How can anybody establish what I intended to authenticate, and what the service provider intended me to authenticate? Aadhaar authentication ignores the fundamental tenet of authentication that a transaction authentication must be inseparably bound to the document or transaction that it is authenticating. Therefore using Aadhaar to authenticate a transaction is like signing a blank sheet of paper on which the other party can write whatever it wants.
All this was brought home to me when I bought a new SIM card recently and was asked to authenticate myself with a finger print. The employee of the telecom company told me that there was a problem and I needed to try again. Being a little suspicious, I stretched forward and twisted my neck to peep at the computer screen in front of the employee (this screen would otherwise not have been visible to me). My suspicion was allayed on seeing an error message on the screen and I tried again only to get the same error message. After three attempts, the employee suggested that I come again the next day. Back home, I saw three emails from UIDAI (Unique Identification Authority of India) stating “Your Aadhaar number ___ was used successfully to carry out e-KYC Authentication using ‘Fingerprint’ on ___ at ___ Hrs at a device deployed by ___.” Note the word successfully.
That is when I realized that the error message that I saw on the employee’s screen was not coming from the Aadhaar system, but from the telecom company’s software. That is a huge problem. This conclusion was corroborated the next day when after one more error message, I found that the employee had left one field in the form partially filled and the error message disappeared when that was corrected.
Let us think about why this is a HUGE problem. Very few people would bother to go through the bodily contortion required to read a screen whose back is turned towards them. An unscrupulous employee could simply get me to authenticate the finger print once again though there was no error and use the second authentication to allot a second SIM card in my name. He could then give me the first SIM card and had over the second SIM to a terrorist. When that terrorist is finally caught, the SIM that he was using would be traced back to me and my life would be utterly and completely ruined.
Actually, even my precaution of trying to read the employee’s screen is completely pointless. The screen is not an inseparable part of the finger print reader. On the contrary. the fingerprint reader is attached by a flimsy cable to a computer (which is out of view) and the screen is purportedly attached to the same computer. It is very easy to attach the fingerprint reader to one computer (from which a malicious transaction is carried out) and attach the screen on the counter to another computer which displays the information that I expect to see.
Another way of looking at the same thing is that a rogue employee of the telecom company could effortlessly execute what is known in computer security as an MitM (Man in the Middle) attack on the communication between me and the Aadhaar system. In fact, I see some analogies between the problem that I am discussing and the MitM attack described by Nethanel Gelerntor, Senia Kalma, Bar Magnezi, and Hen Porcilan in their recent paper (h/t Bruce Schneier). Neither I nor the Aadhaar system has any way of detecting or foiling this MitM attack.
I think the whole model is fundamentally broken, and Aadhaar should be used only to verify identities, and not to authenticate transactions. Transaction authentication must happen with a thumb impression, a physical signature, a digital signature or something similar that is inseparably bound to a document.