Introduction 

In today’s digital economy, reliable identity verification has become essential for accessing a wide range of services like banking, telecommunications, commerce, etc. In India, this need for reliable identity verification has largely been addressed through the Aadhaar system, which enables organisations to verify a person’s identity quickly and securely through a variety of authentication mechanisms.  

To support different verification needs, the Aadhaar framework provides two primary modes of identity confirmation: Online authentication and offline verification. Online authentication involves sending real time verification requests to Unique Identification Authority of India’s (hereinafter “UIDAI”) servers, typically using biometric data, OTP’s, or demographic details. Offline verification, on the other hand, allows individuals to share identity credentials directly with service providers without requiring real time communication with UIDAI databases.  

The Meaning of “Offline” in Aadhaar Verification 

This method, as mentioned above, allows information sharing without requiring real time authentication request to UIDAI’s servers. Despite it’s name, the process is not completely offline in the traditional sense. Internet connectivity is still required. The term merely indicates that UIDAI’s central servers are not contacted during the verification process itself. Further, offline verification can be done through either physical or electronic formats.  

In physical formats, individuals may present documents such as the Aadhaar letter, a printed copy of e Aadhaar, or the Aadhaar PVC card, whereas in electronic formats, individuals may share digital credentials such as the downloadable e Aadhaar file used in offline e KYC systems. This system was originally designed as a privacy friendly alternative, as it allowed individuals to share identity data without granting organisations direct access to UIDAI databases. 

Key Amendments to this Offline Verification System  

In December last year, UIDAI introduced significant amendments to the Aadhaar Authentication and Offline Verification Regulations, 2021. These amendments represented an important shift toward a consent driven and application based digital identity system. 

Firstly, one of the main changes introduced by the amendments is the formal recognition of an official Aadhaar mobile and web application developed by UIDAI. This application functions as a central platform through which individuals can manage Aadhaar related services. Users can access and share multiple identity credentials, including, QR codes, e Aadhaar files, offline e KYC, etc. 

Secondly, there was the introduction of new verification mechanisms like Aadhaar Verifiable Credentials (hereinafter “AVC”), and offline face verification [Regulation 2(be) & 2(md)]. These mechanisms bring major operational changes for businesses. Through AVC, organisations can now request only the specific demographic information necessary for their services. Whereas, offline face verification allows businesses to capture a live facial image of a user and match it with the photograph stored in the Aadhaar application on the user’s device. Unlike biometric authentication, this process does not require real time communication with UIDAI servers. Also, offline Aadhaar verification can be done with or without this face verification as necessary. 

Thirdly, the amendments also introduce new regulatory requirements for organisations. Entities seeking to perform offline e KYC or AVC based verification through the Aadhaar app must register with UIDAI as Offline Verification Seeking Entities (hereinafter “OVSEs”). One exception to this are organisations that rely solely on physical Aadhaar copies or QR code scanning. 

How these changes Impacted Organisations? 

This means what organisations which were earlier using or are planning to use Aadhaar based verification systems are now subject to increased regulatory oversight by UIDAI. Businesses, in addition to their registration as OVSE’s are required to provide access to their systems, operational processes, and records during compliance audits conducted by UIDAI or its authorised agencies [Regulation 21]. Taken together, the regulations now comprehensively cover:  

• Strict Data Handling and Data Localization Requirements: OVSE’s are also strictly prohibited from collecting, storing, or using a person’s Aadhaar number or biometric information for any purpose [Regulation 14A(b)]. Also, whenever these registered entities store physical copies or photocopies of Aadhaar documents, the first eight digits of the Aadhaar number must be masked or redacted before storage [Regulation 14(mb)]. Even if businesses choose to maintain optional verification logs, they can only store them in secondary form [Regulation 20A]. The regulations also impose data localisation obligations. All servers used by Requesting Entities, Authentication Service Agencies, and OVSEs for processing verification requests must be located within data centres or cloud infrastructure situated in India [Regulation 22]. Moreover, if a user withdraws consent, the stored information must be deleted in a verifiable manner and provide an acknowledgement of the same to the Aadhaar number holder [Regulation 16A(4) & 20A]. 

  
  

• Breach Reporting: According to Regulation 14A(d), an OVSE must report any compromise of Aadhaar related systems or misuse of Aadhaar information to UIDAI without undue delay and in any case within 72 hours. Requesting entities must also notify affected Aadhaar holders when such incidents occur.

  
  

• Liability for Third Party Vendors: According to regulations 14A(e) & 14(m), the principal organisation remains fully responsible for the actions of any third party vendors or subcontractors involved in the verification process. This provision significantly increases corporate responsibility. Businesses must therefore conduct rigorous due diligence, contractual oversight, and compliance monitoring of external vendors.  They must also invest in fraud detection systems, cybersecurity infrastructure, and incident response frameworks. 

  
  

• Mandatory Audits and Penalties for Non Compliance: It must be noted that noncompliance with these regulations can lead to severe consequences. If an OVSE fails to comply with regulatory standards, misuses Aadhaar verification facilities, refuses to cooperate during audits, or engages in unlawful activities, UIDAI may impose financial penalties, initiate criminal proceedings, or suspend or terminate the entity’s authorisation [Regulation 25(1A)].Furthermore, if an entity’s authorisation is terminated, organization must immediately cease using the Aadhaar logo, discontinue Aadhaar based services, resolve pending user grievances, and preserve verification logs as required by UIDAI before shutting down its Aadhaar related operations [Regulation 23A]. 

How do these changes impact Aadhaar holders? 

One of the biggest effects of these amendments is that individuals now have greater control over their personal information by sharing only specific identity details required for a particular service, instead of revealing their entire Aadhaar profile. The risk of unnecessary exposure of personal data is reduced and focus shifts on the consent of an individual. 

It must be noted that although these amendments improve convenience for many users by way of introduction of the Aadhaar app, they could present challenges for individuals with limited digital access or technological familiarity. Users may not always know which pieces of information are necessary for a particular service and which are not. Even when they are aware, repeatedly granting consent for different services can lead to consent fatigue. 

Conclusion 

The amendments significantly change how Aadhaar verification works for both organisations and individuals. Businesses must now follow stricter compliance and data handling rules, while Aadhaar holders gain greater control over what personal information they share. 

Crucially, the changes also align India’s Aadhaar identity system with widely accepted global technical and privacy standards, strengthening the country’s digital governance framework. The introduction of AVC aligns with Web 3.0 identity models. which allows digital credentials to be securely selectively shared and verified. This makes Aadhaar more compatible with emerging decentralised identity systems used internationally.  

The move toward offline verification and local biometric matching reflects recommendations from the NIST Privacy Framework, which encourages reducing reliance on centralised biometric databases to improve privacy protection. 

The amendments also reflect the concept of Self Sovereign Identity (hereinafter “SSI”), where individuals have greater control. By allowing users to store credentials on the Aadhaar app and share them when needed, the system moves toward a model where individuals manage their own identity data. Further, the framework incorporates key data protection principles such as privacy by design, data minimisation, and purpose limitation, which are central to India’s Digital Personal Data Protection Act, 2023 and international regulations like the EU’s GDPR.  Overall, Aadhaar is now globally aligned, secure, and privacy focused digital identity ecosystem.