Everything you need to know about AUAs and KUAs

Prabhat Nigam

31 Mar, 2022

According to the provisions of Aadhaar Act, 2016, a requesting party could be a person or an agency that submits Aadhaar number and demographic information or biometric information of an individual to Central Identities Data Repository (CIDR) for the purposes of authentication. These requesting entities could be authentication user agency (AUAs), e-KYC User agency (KUAs). This piece of information talks about the meaning of AUAs and KUAs along with their requirements related to appointment and security.    

What is an AUA?

An authentication user agency (AUA) is an entity which is engaged in the service of proving Aadhar Enabled Services to the Aadhaar number holders. These entities use authentication which is facilitated by the Authentication Service Agency (ASA). An AUA can be private/ public/ government legal agency which is registered in India which uses Aadhaar authentication services provided by Unique Identification Authority of India (UIDAI) and sends the authentication requests to enable its business/service functions.

Another question props up what are Sub AUAs?

Sub AUAs are agencies which use Aadhaar authentication to enable its services through an existing requesting entity.   

What is meant by KUAs?

Before understanding the concept of KUAs, let us first understand the meaning of e-KYC Service Agency (KSA). KSAs are entities that are having connectivity with UIDAI’s Central Identity’s Data Repository (CIDR) and share the Demographic profile of Aadhaar Card holder to the KUAs for the purposes of authentication.

KUAs or e-KYC User Agency (KUA) is an entity which requires the authentication of Aadhaar card in terms of Biometric data of the Aadhaar Card holder from e-KYC Service Agency (KSA).

Both AUAs and KUAs are requesting entities which connect to the CIDR through an Authentication Service Agency (ASAs) [are those entities that have secured leased line connectivity with CIDR. ASAs transmit authentication requests to the CIDR on behalf of one or more than one AUAs. An ASA then enters into a formal contract with the UIDAI]. They either become an ASA on their own or by contracting services of an existing ASA.

Appointment of AUAs and KUAs [Appointment of Requesting Entities]

• Those entities who wish to become requesting entities and intending to use the authentication facility provided by the Authority, shall have to apply for appointment as requesting entities in accordance with the procedure that has been laid down by the Authority for this specific purpose. Only those entities that fulfil the criteria provided in the schedule A are allowed to apply for this appointment. The eligibility criteria provided in the Schedule A can be modified by the Authority from time to time.
• The Authority has the right to seek further information and clarification from the applicant regarding the matters which are relevant to the activity of the requesting entity which the Authority may deem necessary in their task of considering or disposing off the application.
• It is the duty of the applicant to submit the clarifications and other relevant information sought by the authority and that too within the time that has been specified by the Authority for this purpose.
• The Authority at the time of granting appointment to AUAs and KUAs shall be considering the application submitted, the information that has been submitted by the applicant and its eligibility. The Authority then verifies the information thorough physical verification of the documents, technological support and the infrastructure which the applicant is required to have.
• Once the Authority has done the verification of the application and the other information submitted by the applicant along with its eligibility, the Authority may:

1. Approve the application of the requesting entity as the case may be; and
2. Enter into appropriate terms agreements with the entity or agency and then incorporate the terms and conditions for use by the requesting entities of the Authority’s authentication facility and also including the disincentives and damages for non-performance of obligations.

• The Authority has got the power to determine the fees and charges from time to time to be payable by entities at the time of their appointment. Variations can also be made in the application fees, annual subscription fees and fees for individual authentication transactions.   

What are the mandatory security requirements?

• The Aadhaar number should never be used as a domain specific identifier. 
• Where the operator assisted devices are being used, operators should be authenticated using mechanisms such as the password, Aadhaar authentication etc.
• The Personal Identity Data (PID^[1]) block which is captured for the purposes Aadhaar authentication should be encrypted at the time of capture and should never be sent in the unencrypted form over a network.
• It is advised not to store the encrypted PID block unless it is for buffered authentication for a short period currently configured at 24 hours.
• OTP data or Biometric data which is captured for the purposes of Aadhar authentication should not be stored on any of the permanent storage or database.
• The responses and the meta data should be logged for the purposes of audit only.
• The network between an ASA and AUA should be secure.

Read our Article:All you need to know about Payroll Compliances in HR in India