Here's a 9-point explainer on how Virtual ID is supposed to work - and if it addresses security concerns. The Economic Times reported that following the article, UIDAI restricted the access of all designated officials, numbering about 5,000 to the said Aadhaar portal.
VID will be temporary and it will not be possible to derive Aadhaar number from VID. However, the new system of KYC does not require the Aadhaar Number.
"Virtual ID will be a temporary, revocable 16 digit random number mapped with the Aadhaar number". This, UIDAI said, will reduce the collection of Aadhaar numbers by various agencies.
The Aadhaar-issuing body will start accepting the "Virtual ID" from March 1, 2018. They also added that a safety feature to make sure only need-based sharing of information, by way of a limited KYC, even as it mentioned that the system and data were safe. The report says that the virtual Aadhaar ID will have 16-digits and that this will be the only information that any agency or entity doing authentication will have.
As per the circular, a virtual ID will be valid for a defined period of time and every time a new one gets generated by the user, the older one gets automatically canceled.
The flaw, according to a Hindustan Times report, is based on the USSD (Unstructured Supplementary Service Data) that was publically shared by UIDAI in December and tells the user if their bank account has been linked with their Aadhaaar number or not. To use the IVR verification option, your mobile number has to be registered with the UIDAI database and your Aadhaar card and mobile number should be from the same state.
The announcement of the virtual Aadhaar ID comes days after newspaper Tribune exposed how insecure was the Aadhaar authentication system and how it was leaking information of over a billion Aadhaar holders, including their Aadhaar number and demographic details.
UIDAI has been under the radar of various media agencies for some time now.
In a tweet, he said: "Under compulsion, millions of persons have already shared Aadhaar number with many service providers". There were further news reports of police reports being filed against the reporters, which were denied by UIDAI and MeitY. Having your Aadhaar and bank account details just lends the attacker more credibility. But it later allowed Bharti Airtel to resume Aadhaar-based e-KYC verification of telecom subscribers till January 10 to facilitate linking of Aadhaar with mobile SIMs as per a Supreme Court directive. Subsequently, UIDAI temporarily barred Airtel and its payments bank service from using Aadhaar to verify users.