New regulations make Aadhaar offline verification more secure, safe, and tamper-proof!

UIDAI has issued some regulations regarding the use of the offline verification facility under Regulation 16A of the Aadhaar (Authentication and Offline Verification) Regulations, 2021.

Published on 29 APRIL 2022 | 5 mins read

The Offline Verification Seeking Entity (OVSE) may use the offline verification facility provided by UIDAI for retrieving the full spectrum of offline Aadhaar data of the Aadhaar number holder only for the purpose unambiguously and explicitly specified by the Aadhaar number holder at the time of verification. Offline Verification may be performed only by the OVSE or the person designated to perform it.

Let's Understand Aadhaar in Depth

Aadhaar is a 12-digit identification number issued to all residents of India free of charge which is unique and verifiable because it combines a person's unique biometric details, including iris scans and fingerprints, with demographic information, including date of birth and address, that separates them from the rest of the world's population.

The Aadhaar number holds no intelligence, nor does it profile people based on caste, religion, income, health or geography. Aadhaar numbers are valid proofs of identity, but they do not confer citizenship or domicile to their holders. Unique Identification Authority of India is a governing body that oversees the distribution and administration of Aadhaar card numbers throughout the populous country of India and enacts laws and passes circulars regarding the use of Aadhaar cards as official identification and verification documents. 

In a morale-boosting development, the UIDAI reports that more than 99% of its population now possesses Aadhaar cards, reaching 1,326,248,927, as of 4th March 2022.

Aadhaar (Authentication and Offline Verification) (First Amendment) Regulations, 2022 were published by the Unique Identification Authority of India on February 4th, 2022, to modify and update the Aadhaar (Authentication and Offline Verification) Regulations, 2021.

This amendment defines the terms Aadhaar letter, Aadhaar PVC card, Digital signature, and e-Aadhaar.

Regulations 16B and 16C are added after Regulation 16A in the above amendment, which addresses voluntary usage of the Aadhaar number and conditions for accepting Aadhaar numbers as proof of identity, respectively.

Different Forms of Aadhaar:

Based on the above amendment, let's look at the different types or forms of the Aadhaar card:

Aadhaar Letter

The Aadhaar Letter is a laminated paper-based document with a secure QR code that embeds the issue date and printing date of the Aadhaar. It is sent to residents free of charge by ordinary mail as a confirmation of new enrollment or mandatory biometric update. 



e-Aadhaar is a password-protected electronic copy of the Aadhaar letter, which is digitally signed by the authority and contains a QR code for offline verification as well as the issue date and download date. You can easily download e-Aadhaar/masked e-Aadhaar from UIDAI's official website or mobile application by using your registered mobile number. Only the last four digits of the eAadhaar are displayed on the masked version. Every Aadhaar enrolment or update generates an e-Aadhaar, which is free to download.


It refers to the official mobile application devised by the authority in order to provide Aadhaar number holders with an easy-to-use, intuitive interface through which they can carry their Aadhaar details as registered with CIDR, including their Aadhaar number along with their demographic information and photograph.

What is CIDR? Central Identities Data Repository refers to a centralized database with all Aadhaar numbers issued to holders of these numbers in one or more locations, along with their corresponding demographic and biometric data, and other relevant information. mAadhaar is a digital version of Aadhaar that can be installed on mobile devices. mAadhaar is available on Google Play and iOS for download on residents' mobile devices.

There is a QR code for offline verification. In the same way as eAadhaar, mAadhaar is also generated automatically with every Aadhaar enrolment or update and can also be downloaded for free.

Aadhaar PVC Card

An Aadhaar PVC card is a polyvinyl chloride card (PVC), issued by the Authority upon payment of prescribed charges, that contains an Aadhaar number, demographic information, and photograph of the Aadhaar number holder, in addition to the Aadhaar Secure QR code, and is equivalent to a paper-based Aadhaar letter.

As it is the size of an ATM card or debit card, it can be easily carried in a wallet, as opposed to the long Aadhaar letter. The card is safe, secure, easy to carry, and durable. Since the Aadhaar PVC card is completely weather-proof, you can now take it anywhere without worrying about it getting damaged by rain.

It can be verified online instantly. It also has the latest security features. The product includes a hologram, ghost image, Guilloche Pattern, and Microtext security features.

Aadhaar XML or Aadhaar Paperless Offline e-KYC

Aadhaar XML is a digitally signed machine-readable XML document that is encrypted, safe, secure, and shareable to establish and authenticate the identity of the cardholder entirely offline that can be stored on the laptop or the phone once extracted from the UIDAI website. Aadhaar XML is also known as Aadhaar Paperless Offline e-KYC.

Hence once downloaded, it can be offered to agencies wanting to have his/her KYC as identity proof and avail the benefit of goods and services provided.

Aadhaar XML is in machine-readable XML file digitally signed by the UIDAI to verify and validate its authenticity and avoid any meddling or tinkering with vital information.

As per UIDAI, residents can choose to use any form as per their convenience and discretion, and all forms of Aadhaar encompassing Aadhaar letter, e-Aadhaar, mAadhaar, Aadhaar XML, Aadhaar PVC card shall be accepted as valid proof of identity with due validation without giving any preference to one form over the other.

Different Types of Aadhaar Card Verification

Now let us understand the two types of services UIDAI provides to “Requesting Entities” — Entities that connect to UIDAI Central Identities Data Repository (CIDR)

Aadhaar Authentication

Aadhaar authentication is the elaborate, detailed process by which the Aadhaar number, along with the demographic data or biometric data of the Aadhaar cardholder, is submitted to the UIDAI’s Central Identities Data repository, which matches and verifies the information presented, determines the validity and authenticity of the information so obtained with a simple response provided in the form of Yes/No.

Aadhaar eKYC

Innumerable instances require instant KYC. This process enables the provider to access all of your personal information from the UIDAI database such as name, address, gender, date of birth, etc., and verify themselves to establish your identity. In the same way that KYC documents are required for establishing your identity, Aadhaar based e-KYC works the same way, except it is a completely digital process.

Essentially, it is a paperless, consent-based authentication of an individual's identity. Due to the fact that eKYC is voluntary, you are under no obligation to do it if you feel uncomfortable about your personal information being accessed by the service provider.

Offline Verification / Offline eKYC

The Aadhaar regulation defines the following as types of offline verification

QR Code verification as per the specifications provided by the Authority from time to time;

  • Verification of the Aadhaar Paperless Offline e-KYC, as specified by the Authority from time to time;
  • E-Aadhaar verification, which may be carried out in accordance with specifications given by the Authority from time to time; and
  • Offline paper-based verification, which may be performed by the entity. The concerned entity shall verify the authenticity of the Aadhaar letter submitted by the resident. A paper copy of the Aadhaar number holder's consent must be submitted by the resident to the entity.
  • The Authority may introduce other types of offline verification from time to time.

Regulations regarding the use of offline verification facility

UIDAI has issued some regulations regarding the use of the offline verification facility under Regulation 16A of the Aadhaar (Authentication and Offline Verification) Regulations, 2021. Here is what it entails:

  • The Offline Verification Seeking Entity (OVSE) may use the offline verification facility provided by UIDAI for retrieving the full spectrum of offline Aadhaar data of the Aadhaar number holder only for the purpose unambiguously and explicitly specified by the Aadhaar number holder at the time of verification.

  • Offline Verification may be performed only by the OVSE or the person designated to perform it. Offline Verification cannot be undertaken on behalf of any entity or person, in contrast to Yes/No Authentication whereby the requesting entity may allow any other agency or entity to perform Yes/No authentication by generating and sharing a separate license key for each entity through the portal or through any other method provided by the Authority to the requesting entity. Fintech players like Karza do act as a third-party service provider to enable XML fetch and initial verification but do not fall within this ambit as they are not the ones actually verifying the XML which is done again by the OVSE.

  • An OVSE may store Offline Aadhaar data of Aadhaar number holders upon their explicit and succinct consent, and upon withdrawal of the consent, the OVSE shall delete the entire data and notify the Aadhaar number holder.

Overview of Frauds using Aadhaar

In the past, the requestor would glance at the Aadhaar card and callously compare some details embedded on the Aadhaar card with the details provided by the applicant/consumer. Consequently, a large number of frauds have been reported by news agencies that suggest that fake and forged Aadhaar information has facilitated frauds and unscrupulous activities.

That Aadhaar could be a pathway to identity fraud resulting from identity theft. Aadhaar has been used for a wide range of illegal, deceitful purposes-carrying out land transfers, procuring passports, getting loans, casting votes, obtaining other IDs, siphoning off ration grains, etc., without the knowledge or consent of the actual Aadhaar number holder.

Typically, frauds committed using Aadhaar involve identity theft, where Aadhaar details have been changed or Aadhaar details forged by changing photographs and names and taking scans.

While a majority of the cases involved a single or few persons indulging in petty frauds, a third of the cases comprised of rackets were fake, and forged Aadhaar were being mass-produced. The methods involved in these cases varied- the two most common were Aadhaar numbers being issued based on the fake, forged, and spurious documents and details encapsulated in the Aadhaar card such as names, and photographs being forged using rudimentary editing and printing techniques, enough to befuddle the UIDAI authorities.

Insertion of new Regulations 16B and 16C

For curbing the frauds outlined above, the UIDAI has enacted regulations 16B and 16C, which require the following:

An Aadhaar number holder may voluntarily use the Aadhaar in physical forms such as an Aadhaar Letter, printed e-Aadhaar or Aadhaar PVC card, or even in the electronic form that includes an e-Aadhaar or Aadhaar XML or mAadhaar for establishing his/her identity as part of Offline verification and the OVSE must verify the printed details on the physical form of Aadhaar and the details embedded in the Aadhaar card in electronic form using the digitally signed Aadhaar Secure QR code.      

Regulation 16C further emphasizes the requirement for a Secure QR code validation by stating explicitly that:

  • No OVSE can accept the Aadhaar number in physical or electronic form as valid proof of identity without first verifying the digital signature of the UIDAI Authority incorporated in the Aadhaar secure QR code.

In simple words, it means that any Offline Verification Seeking Entity cannot accept Aadhaar Letter, Aadhaar PVC card, printed e-Aadhaar, e-Aadhaar, Aadhaar XML, or mAadhaar without scanning and validating the secure QR code contained in the document. 

Also, a new Secure QR code containing demographic data and a photo of the Aadhaar cardholder has replaced the existing QR code on Aadhaar, which contained only demographic data. The QR code contains secure and tamper-proof information as it is digitally signed by UIDAI.

Only the UIDAI Custom Client for desktops/laptops can read this newly signed QR code in real-time against UIDAI digital signatures. Hence, any attempt to commit fraud using Aadhaar can be easily detected by scanning QR Codes.

The Video KYC Perspective 

Let us understand the impact on Video KYC or V-CIP. But what is VKYC. Video KYC is a customer identification and due diligence process that enables banks and other financial institutions to perform customer KYC remotely by undertaking an encrypted audio-visual interaction with the customer to obtain and verify identification information. It is the only method available to execute a full KYC remotely.

As per the Reserve Bank of India (RBI) circular, in the event of offline verification of Aadhaar utilizing an XML file or Aadhaar Secure QR Code, it shall be ensured that the date of generation of the XML file or QR code is no older than three days from the date of V-CIP. You can identify this by scanning the digital signature on the e-Aadhaar copy.

As of now, it is mandatory to scan and validate the Secure QR code incorporated in all forms of Aadhaar. However, the Secure QR code enclosed in Aadhaar in its physical form - Aadhaar Letters or PVC cards, does not have such a generation date for validation. We need to see if RBI changes the rule i.e. the date of generation of the QR code should not exceed 3 days, or if RBI insists on keeping the rule i.e. even the printed copies in the physical form should contain the digital signature of the UIDAI authority, not exceeding 3 days.


It will be interesting to see what conspires in the next few days. In spite of that, scanning and validating the Secure QR code of any form of Aadhaar can certainly hamper the efforts of fraudsters looking to milk money by taking advantage of any loopholes in the Aadhaar ecosystem.

Karza Technologies is acquired by Perfios Software Solutions