Digital identity in developing countries: a comparative perspective

How Oman’s smart card could help bridge gaps in India’s Aadhaar digital ID

According to an OECD study, digital identity (DID) systems can be classified in four categories: browser-based, mobile-based, smart card-based and biometrics-based.

Countries may (and often do) combine several of these solutions to provide citizens with proofs of identity through different channels and in different contexts. Ultimately, however, what determines the nature of a DID system are its identity verification (authentication) options. These, in turn, have important repercussions on the inclusiveness and use cases of the DID.

This article investigates whether a smart-card based regime like that of Oman could help overcome the authentication challenges of Aadhaar, India’s biometrics-based DID.

The limits of Aadhaar’s authentication system

Aadhaar is considered a biometrics-based system because fingerprint and iris scans are its ultimate, albeit not its only, authentication option. Depending on the context, other methods are available:

• One-Time-Password (OTP), obtained by SMS or in the mAadhaar app
• QR code, generated in mAadhaar (not available for procedures like e-KnowYourCustomer)
• Demographic information (also not available for e-KYC)
• Multifactor authentication (a combination of any two options above)

To verify their identity, individuals submit their Aadhaar number and selected attribute (e.g. fingerprint) to the Central Identities Data Repository (CIDR) for verification. Based on the presence or absence of a match, a yes/no notification is sent to the authentication device. Such system gives rise to at least three authentication problems, which are particularly acute in remote rural areas:

• Biometrics failure: fingerprints and/or irises might be damaged or made unreadable by manual work, illness, and disability before they are registered or updated;
• Connectivity failure: telephone and internet signal might falter, preventing the functioning of mobiles and/or Point of Service (POS) devices;
• Lack of personal SIM card and/or smartphone among the poorest.

The perks of the Omani model

The Omani e-ID is a smart card-based system which relies on electronic certificates rather than feature matching to verify individuals’ identity. Smart cards are in fact equipped with a chip containing a digital certificate with the owner’s identity attributes. Such certificate is issued by the national Public Key.

Infrastructure (PKI), which operates as National Digital Certification Centre (NCC). The certificate may also be contained in a PKI-enabled SIM card.

To authenticate, individuals must couple their smart card or PKI-enabled SIM card with a 6-digit PIN provided by the Royal Omani Police upon issuance of the DID. This generates a request to the NCC, which signs and issues a digital authentication certificate containing the citizen’s public key and identity information, alongside a legally valid electronic signature certificate.

The Omani system would effectively address Aadhaar’s authentication problems. First, the Omani e-ID is not subject to biometric authentication failures. Since it relies on e- certificates rather than fingerprint/ iris scanning and matching, biometric damage is not an obstacle to identity verification and thus access to services. Second, the Omani e-ID is not subject to connectivity problems. By relying on Near Field Communication (NFC) technology, smart cards can be read by POS devices even in place with little or no internet coverage. Third, the mobile Omani e-ID is an optional rather than the main fallback in case of authentication failure. This prevents the exclusion of those who don’t own a smartphone and/or SIM card.

Challenges to the Omani model

The greatest limitation to the implementation of an Omani-style DID in India is the use of PIN numbers, which is incompatible with the low numeracy rates of rural areas. Another major obstacle is the overreliance on smart cards: in case of lost or damaged card, individuals who could or did not want to get a mobile e-ID are left with no immediate alternative. Smart cards are also more expensive than traditional ID cards: this cost is often diverted to citizens in Western countries, but in India it would probably be borne by the government to ensure adoption by the poor. Lastly, a transition towards a certificate-based system could prove technically and legally difficult: on the one hand, it would require an overhaul of Aadhaar architecture; on the other, it would make some of Aadhaar biometrics, e.g. iris scans, not necessary. Therefore, their collection may be challenged in Court as a disproportionate curtailment of the right to privacy.

Conclusion

The comparative analysis of Aadhaar and the Omani e-ID leads to three, interlinked conclusions. First, the fundamental problem with Aadhaar authentication is that the Indian DID was rolled out before internet coverage, numeracy, (digital) literacy, and smartphone penetration had been fully attained. Consequently, an Omani-style DID in India would not be a conclusive alternative, as underlying issues would persist, and new ones may arise. The ideal solution might therefore lie in the middle: several scholars advocate for biometric smart cards, which overcome both connectivity and smartphone/SIM card ownership problems and have a strong track record in Indian States like Andhra Pradesh. To be effective, such cards should be an additional, rather than a substitute, means of authentication. The problem of biometric damage, instead, might require a different strategy, e.g. the organization of identity attributes update campaigns.