Paper 2022/481

India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities

Pratyush Ranjan Tiwari, Dhruv Agarwal, Prakhar Jain, Swagam Dasgupta, Preetha Datta, Vineet Reddy, and Debayan Gupta


India's Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India's 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity - a 12-digit Aadhaar number - using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies.

Available format(s)
Publication info
Published elsewhere. Minor revision.Financial Cryptography and Data Security (FC) 2022
Biometric authenticationBiometric IdentificationApplicationsIdentification Systems Security & Privacy
Contact author(s)
pratyush @ cs jhu edu
t-dhaga @ microsoft com
debayan gupta @ ashoka edu in
2022-04-23: revised
2022-04-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Pratyush Ranjan Tiwari and Dhruv Agarwal and Prakhar Jain and Swagam Dasgupta and Preetha Datta and Vineet Reddy and Debayan Gupta},
      title = {India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities},
      howpublished = {Cryptology ePrint Archive, Paper 2022/481},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.