OTP authentication better than biometric for Aadhaar verification: HC told

The Delhi High Court on Thursday suggested incorporating recommendations, like using OTP authentication instead of biometric, given by two amicus curiae to plug a "loophole" in the Aadhaar verification system that had been misused by a mobile shop owner to issue fresh SIM cards in the name of unwary customers for use in fraudulent activities.

The shop owner, during Aadhaar verification of a SIM, used to make the customer give his thumb impression twice by saying it was not properly obtained the first time and the second round of authentication was then used to issue a fresh connection which was handed over to some third party, the high court had earlier noted while initiating a PIL on the issue.

A bench of Chief Justice Rajendra Menon and Justice I S Mehta, on Thursday, took on record the report submitted by senior advocate Dayan Krishnan and advocate Rushab Aggarwal who were appointed as amicus in the case to assist the court.

The bench also asked the Centre, Delhi government and the Unique Identification Authority of India (UIDAI) to file their response to the report and listed the matter for hearing on February 12.

"We feel it (suggestions) should be incorporated," the bench said.

In their joint report, the two lawyers have said that OTP authentication should be the preferred method instead of using biometrics where "security concerns are more pronounced" and "loopholes are easily accessible".

They said that biometrics should be only requested where it is essential.

The report also said there should be a "cooling off period" between authentications, "to ensure that if multiple authentications take place in quick succession the UIDAI systems would not respond, and thus effectively blocking loopholes as is highlighted in the instant case".

The other suggestions proposed in the report were that FIRs in such cases should be forwarded by the investigating agencies to UIDAI so that it has information of these loopholes and can create methods to address them.

The UIDAI should also file a complaint under the Aadhaar Act to ensure prosecution to the fullest extent of the persons who carry out such activities, the report said.

The two lawyers have also suggested that "incidents of this nature must be given wide publicity through both the UIDAI and the investigating agency as the scope/ nature of the breach cannot be adequately assessed without all concerned parties being put to notice.

"This would enable the general public to assess whether they were also victims and to take remedial action if necessary."