Worried your Aadhaar is hacked? Five steps to check authentication history

UIDAI's service is akin to bank passbook entries; you can raise a red flag if you suspect misuse; problem: hacker's identity remains hidden

To improve the security of Aadhaar, the Unique Identification Authority of India (UIDAI) recently started offering a service that lets a user check the history of Aadhaar authentication. The account holder can check if any anyone tried to authenticate his Aadhaar using biometric, one-time password (OTP) or demographic details.

The service lets you keep a track of authorised and unauthorised verifications on your account. “Think of this service like debit and credit entries on your bank passbook that helps to keep a tab on the money in your bank. If you see an unauthorised authentication on your Aadhaar account, you can raise a red flag,” says Prashant Mali, an advocate and international cyber law and cybersecurity expert.

Take the example of recent misuse of Aadhaar by a payments bank, which is a subsidiary of a telecom company. When customers linked their Aadhaar with their mobile number, allegedly retailers also used the details to open payments bank accounts without “informed consent” of the telecom customers. 

While the service helps users to know the history of authentication, it’s not user-friendly. The service doesn’t mention who tried to authenticate records. Instead of the name, it gives a code of the institution/service provider that tried to authenticate your account.

To access the record, you need to go to the ‘Aadhaar Authentication History’ under ‘Aadhaar Services’ section on the UIDAI website. You can check either biometric, OTP or demographic authentications individually or select ‘All’ to see them on one page. The service allows you to check up to 50 transactions over the last six months. In the record, you can see the date and time of transactions and also whether they were authorised or not. Also, there are no details of the institution that attempted to verify the details. Instead of the name, it gives an alphanumeric 'response code'.

So, how do you know if the authorised transactions were initiated with your consent? One way is to go to your inbox and check if there were corresponding emails from UIDAI for Aadhaar authentication if your email is registered with them. You can use the ‘response code’ from the history to match it with the one mentioned in the email from UIDAI.

While the OTP and biometric authentications are limited and easy to check, some users may see a lot of failed entries for demographic authentication. “Don’t be alarmed with the number of failed entries. It is possible that if someone has linked Aadhaar with bank or wallet, their servers can try to authenticate you for KYC (know your customer),” says Mali. An individual should be concerned only with authentications that ‘passed’.

If there are successful transactions that you don't recognise, contact UIDAI by calling 1947 or by forwarding the details to help@uidai.gov.in. “When it comes to Aadhaar, there are limited grievance redressal mechanisms. You can only do it by phone or by sending an email to UIDAI. There’s no other way or next level authority in case your grievance is unresolved,” said Gopal Krishna, convener of Citizens Forum for Civil Liberties, which campaigns against surveillance technologies.

To prevent misuse of Aadhaar, the best way is to lock your biometrics. While an individual can do it online on the UIDAI website, it’s much easier to do it on the Aadhaar app. You can unlock biometric verification whenever you need to.