Digital Identity Spotlight: India
India’s Modi government has launched a mobile app that brings facial biometrics and enhanced privacy controls to its Aadhaar system, the national identity verification service used for everything from accessing public services to booking travel to opening bank accounts. It may also provide important lessons for a growing number of other digital identity initiatives worldwide.
Introduced in limited beta on April 8, the Aadhaar app is just the latest advancement for India’s ambitious Digital Public Infrastructure (DPI)—the so-called “India Stack” that has successfully helped boost financial inclusion across this country of 1.4 billion people, spur innovation, and supercharge a digital economy that’s second only to China in its pace of growth, and could soon be valued at $1 trillion.
Based on four API-enabled “layers”—identity, documents, payments, and empowerment—building the India Stack began in 2009, and has rapidly become the centerpiece of a digital transformation effort expected to propel India’s overall GDP to $8 trillion by 2030. But as its latest advancement in digital identity gains the attention of governments racing to catch up, it’s worth noting that India’s technological head-start goes way back—thousands of years, in fact.
From the Vedas to Aadhaar: A Legacy of Innovation
Bounded by the Indian Ocean to the south, the Arabian Sea to the southwest, and the Bay of Bengal to the southeast, this South Asian country’s traditions have always strongly embraced advanced technology, and the sanctity of an unalterable identity tied to the social good.
Its ancient Vedic texts and their stories of vimanas (flying chariots), Brahmastra (energy weapons), Ayruvedic medicine, and mathematics have long inspired, when not directly forming the basis for, innovations ranging from nuclear energy to aeronautics to software architecture, network design and more. And its Sanskrit Puranas include tales of King Harishchandra, who staked his identity on an unwavering commitment to truth and righteousness.
Not bad as far as digital age backstories go. Yet even so, India’s digital transformation over the past 16 years has been remarkable. As France’s Institut Montaigne points out, the DPI has pushed India to the top digitalization index of tax collection among emerging market economies. From mega-cities like New Delhi to Mumbai and from rural villages of Himachal Pradesh to Bihar, the DPI is designed to serve the public good and has enabled society-wide transformation in the way India provisions social services. It has also expanded access to education and, increasingly, digital health and agricultural services. At the heart—or rather, the start—of it all: digital identity.
Digital Identity Forms the ‘Stack’s’ Foundation
Today, more than 94% of the Indian population has a digital ID. Combined with smartphone penetration topping nearing 50% ,interestingly rural smart phone penetration is over 76%, Institut Montaigne estimates that more than three-quarters of the Indian population over the age of 15 has access to an account at a financial institution or via mobile wallet. In 2006, just 50% of Indian households had such access.
A significant contributor to the DPI’s success can be found in its building-block, or layered, approach, which include three overarching layers:
Digital Identity (or ‘Presence-less’) Layer
Aadhaar, which literally means “foundation” in Hindi, formed the Stack’s all-important first layer. In 2009, Aadhaar began as a digital identity card that has been able to provide definitive proof of identity to nearly 1.3 billion citizens—including those in its most remote areas. Each Aadhaar card includes the individual’s name, address, gender, and 12-digital unique identity number, and a photograph, and is backed by a fingerprint and iris biometric. What originally started with the vision of Direct Benefit Transfer (DBT) to ensure the mass subsidies reached the right hands, today, it is used for everything from accessing government services to travel bookings to banking, and more.
Digital Documents (or ‘Paperless’) Layer
Indeed, possession of a verified biometric identity, and the ability to build a financial history, proved to be a game-changer—paving the way for the Digital Public Infrastructure’s second layer: Aadhaar-enabled document storage and sharing. This includes a digital locker (or “DigiLocker” for storing identity documents such as driver’s licenses, academic certificates, and more. Meanwhile, e-Sign and new e-KYC processes simplified access to financial services and ensured access to a basic savings and deposit account, credit, insurance, and a pension. Later, utilities and telecom companies were able to start piggybacking their services through this channel as well.
Digital Payments (or ‘Cashless’)
In 2016, the next layer—an instant, real-time mobile payments system called the Unified Payments Interface (UPI) was added, enabling users to transfer funds between two bank accounts, whether for government services, or business-to-business and business-to-consumer transactions. By 2023, the UPI had become the world’s largest real-time payments system in transaction volume, eclipsing PayPal, Brazil’s PIX, and even China’s Alipay. Today, 80% of all retail payments in India are made through this payment system. And overall, half the world’s daily digital transactions take place on the UPI. The statistics are staggering for 2024, a 172 billion UPI transactions (~46% growth y-o-y) transferred a total sum of INR 247 lakh crore (~US$ 2.9 Trillion showing a 35% growth y-o-y). Indeed, this Aadhaar-enabled system has been so successful, it’s being offered commercially to other nations as well.
Empowerment (or ‘Consent’) Layer
The final layer in the India Stack is a framework designed to give individuals control over their data, ensuring that personal data is only shared when they provide explicit consent. Users can approve, manage, and revoke consent agreements for data sharing with financial, health, and educational services. This “Data Empowerment and Protection Architecture,” or DEP, enables individuals to securely share their financial data with chosen institutions through intermediaries called consent managers or Account Aggregators. In addition to reducing fraud due to its integration with Aadhaar, this can potentially enable Account Aggregators to confirm creditworthiness without sharing specific personal information—thus reducing bias.
Now, There’s an App for That–But Is It Enough?
The mobile app released in April brings all these layers into the physical world in new ways, making it easier for users to share their Aadhaar ID details digitally, without the need to present physical copies at airports, shops, or hospitals, or hotels where ID details could be stolen or misused. ID verification is completed by scanning a QR code and allowing a real-time facial scan via their smartphone camera. Just as with online data sharing via the UPI, users can share only the necessary data, giving them more control over their personal information. The app arrives amid the rise of so-called super wallets—integrating Aadhaar-based identification, facilitating real-time bank transactions by UPI, and securely storing digital credentials. There’s no reason to think biometric identity verification for physical data sharing won’t soon be integrated as well.
But that’s not to say there aren’t challenges. Fraudulent QR codes for parking and other services have been used to scam citizens since the earliest days of the DPI. And just in recent weeks, authorities uncovered a nationwide scam involving fraudulent Aadhaar modifications, counterfeit documents, tampered biometric devices, and a fake Aadhaar portal used to make unauthorized changes to a victim’s Aadhaar information, such changing birthdate, or linking the Aadhaar account to a fraudster’s smartphone.
India-specific statistics are hard to come by, but globally, this kind of synthetic identity fraud led to as much as $3.2 billion in losses worldwide during just the first half of 2024. Incidences of new account fraud using synthetic identity info jumped 18% YOY during the same period—an all-time high. That said, its latest layer has the India Stack headed in the right direction—though it could be even stronger.
What Should Come Next
It’s hard to argue with the success of India’s full-throttle embrace of digital identity across its DPI. But there are some easy ways to make it even more powerful and secure.
For example: While the government has launched an unrelated stack called “Vishvasya” as part of an initiative to promote blockchain use, the India Stack does not yet use distributed ledger technology. In my view, digital identity’s fullest success can only be achieved through distributed technologies and the architectural advantages they offer. This is especially crucial given the country’s layered approach to leveraging digital identity. I believe the consent managers/Account Aggregators within the stack’s Empowerment layer are a step in the right direction—and their blind pass-through of personal information is key.
But distributed technologies hold the promise of a day when someone applying for a loan can choose which personal information to share, instead of opening their entire financial lives to a lender or dealer financing department, on their own—unlocking the Stack’s potential to curb bias and truly enhance financial inclusiveness.
It also means they could one day share third-party trust scores that allow them to demonstrate creditworthiness without revealing any personal information at all—bringing the microbusiness opportunities afforded to women through Aadhaar-based mobile services to a whole new level, for example. Remote and in-person identity verification and authentication becomes far more secure as well—easily enabling differentiation between legitimate users and imposters hiding behind stolen or synthetic identities.
India’s adoption of liveness tests during authentication through its new app is an excellent first step. Let’s hope its beta is a massive success and it goes into wide release sooner rather than later. But that’s only if they do it right.
To maximize effectiveness, the Indian government should consider adopting global best practices and standards—such as NIST 800-63-3, FIDO2, and ISO/IEC 30107-3—for its digital identity infrastructure and related liveness testing. These can serve as a strong foundation while the country works toward developing its own standards in the future. Only then will they be able to defeat virtually any attempt at identity spoofing. I may be biased, but it seems fitting for a nation with a legacy of technological advances dating back to the Vedas—and I have to believe King Harishchandra would approve.
Interested in digital identity-based authentication but aren’t sure where to start? Learn more about 1Kosmos, the only NIST-, FIDO2-, and iBeta biometrics-certified digital identity platform—and schedule a free demo today.
