The Centre’s newly notified Aadhaar rules formally clear the use of face authentication while tightening consent and purpose-limitation requirements, in line with the recently-implemented Digital Personal Data Protection (DPDP) Act.
This marks a significant shift in how Aadhaar can be used beyond government services — and how private entities may legally access the system.
The changes come at a time when the Unique Identification Authority of India (UIDAI) is preparing to roll out a redesigned Aadhaar app, which officials say could enable Aadhaar-based identity checks for everyday use cases such as event entry, hotel check-ins, deliveries and access control, without relying on continuous database authentication.
What do the new rules change?
The rule gives regulatory recognition of face authentication as a valid mode of Aadhaar authentication, alongside existing biometric and OTP-based methods. Until now, facial verification had limited formal backing, largely confined to specific government-led use cases.
The rules also strengthen provisions for offline Aadhaar verification, where identity details can be verified without pinging UIDAI’s central database.
This will allow Aadhaar holders to share digitally signed credentials — via QR codes or apps — with third parties.
Why face authentication
Face authentication is being seen as critical in scenarios where fingerprint or iris scans are impractical, and where entities may not want to — or qualify — to become full-fledged Aadhaar Authentication User Agencies (AUAs).
UIDAI officials have argued that on-device facial verification can serve as a "proof of presence". This would confirm that the Aadhaar holder is physically present at the point of verification, without transmitting biometric data to UIDAI servers.
This is expected to underpin use cases such as entry to public events, gated communities, or ticketed venues — similar in experience to DigiYatra-style identity checks, but extended beyond airports.
What about privacy controls?
Alongside expanded authentication modes, the rules repeatedly stress that Aadhaar use must be:
- Purpose-specific
- Based on explicit consent
- Limited to the minimum data necessary
This is aligned with the newly-implemented Digital Personal Data Protection (DPDP) Act, which places strict obligations on entities to avoid data over-collection and misuse.
Under the new framework, an Aadhaar holder should be able to approve or deny a request, and share only selected attributes — such as age or photograph — rather than their full Aadhaar profile.
Bringing private use under a legal framework
The rules also seek to address a long-standing grey area in private-sector Aadhaar usage.
UIDAI officials previously flagged that some businesses bypass existing restrictions by asking users to fetch Aadhaar details via OTP-based portal access — a practice the authority considers illegal.
By formally enabling offline verification, the government is seeking to do away with the informal workarounds that some entities resorted to.
How this links to the upcoming Aadhaar app
During recent industry discussions, UIDAI officials said the new Aadhaar app is designed to operationalise exactly these rule changes. The app will place Aadhaar credentials on the user’s device, allow selective sharing through QR codes and support offline face-based proof of presence.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
