Centre for Internet & Society

The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.

Introduction

This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that Aadhaar biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.

A background of the two standards

The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:

1. Compliant with the international standard ISO-7816 for smart cards.

2. Based on a public/private key and pin authentication factor

3. Authentication factor refers to an individuals keys, pass-phrases, and pin.

The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:

1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.

2. Based on a symmetric authentication factor

A comparison of the two standards

Standard
SCOSTA  -  MNIC smart card
Aadhaar Biometric  - UID number
Architecture
Decentralized
SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner
Centralized
Aadhaar biometric standards require symmetric
authentication factors, and thus must be structured in a centralized manner
Standards for Technology
Open standard
Creates security through transparency
Closed standard
Creates security though obscurity
Points of failure
Multiple points of failure
The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.
Single point of failure
The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost
Impact on local industry
Encourages
Open standards allow local industry to compete in manufacturing technology
Discourages
Closed standards allow foreign players to monopolize the manufacturing of technology
Cost analysis
Cost effective
Increased competition keeps prices low
Cost ineffective
Decreased competition keeps prices high
Revocation Revocable
If the key pair and  pin are stolen, a new set of passwords can be issued
Permanent
If the biometrics of an individual are stolen, they cannot be re-issued
Possibility of fraudulent authentication
Lower
A thief must steal your smart card and your secret pin to commit fraud
Higher
A thief only needs to collect your fingerprints using a glass tumbler to commit fraud
Viability of Technology Proven effective for large populations
Not proven effective for large populations