Ashok approaches an Airtel store to purchase a sim card. He provides his Aadhar number. Customer service executive asks him to verify his biometrics(fingerprint). These details are sent to the UIDAI’s computers which verifies that produced information is correct. Ashok walks out with his sim card.

Here is the problem. Think of Aadhar number as Ashok’s username and biometrics(fingerprint) his password. He has given away this information to Airtel’s customer executive. Now, the customer executive can reuse this information to issue another sim card in Ashok’s name without his consent. Just like, giving away your Facebook’s username and password to someone can lead to its misuse.

If your Facebook’s password is compromised the solution is simple, you change the password. But, in the case of Aadhar, we can’t change our fingerprint. Aadhar number can’t be changed because it’s permanent. Hence, UIDAI(Unique Identification Authority of India) introduced a new parameter, Virtual ID.

Virtual ID is a randomly generated 16 digit number eg. “9984939494939593”. You can generate multiple Virtual IDs from your Aadhar portal. Now, Ashok can share his Virtual ID and biometrics to receive a sim card. Once the verification process is complete, Ashok can generate a new Virtual ID, the old ID will no longer be valid. This would prevent the customer executive from reusing it. This is a good step (Security 101). But, this doesn’t eliminate all concerns like UIDAI claims.

Imagine UIDAI’s system as a house with five doors. Security of one of them is strengthened. Rest of them are still weak.

Hopefully, they will secure them.