Over the last 15 years, Aadhaar, meaning “foundation” or “base”, has gone from being primarily an identification system to becoming the foundation of digital India. Now, Aadhaar is the largest biometric identification system in the world, with over 1.43 billion enrollments — more than the combined populations of Europe and North America.

Aadhaar was created in 2009 to provide all residents of India with a single, unique and verifiable identity number that can be used by government and private sector agencies to identify individual residents of India. The Unique Identification Authority of India (UIDAI), a statutory authority of the Government of India, administers the Aadhaar program and issues a 12-digit unique Aadhaar number to Indian residents.

With almost 80 million Aadhaar authentications now occurring daily, UIDAI has strengthened India’s position as a global leader in digital public infrastructure (DPI). 

On January 28, 2009, the UIDAI launched the Aadhaar program under the leadership of Nandan Nilekani, and the first Aadhaar number was issued on September 29, 2010. Within ten years of its launch, Aadhaar enrolled 90% of India’s population in a digital ID system, considered the world’s most extensive biometric identity system, serving as the primary infrastructure for digital payments in India.

Today, over 2,200 government schemes and programs use Aadhaar as the basis for offering welfare schemes, including Direct Benefit Transfer (DBT) and the Pradhan Mantri Jan Dhan Yojana (PMJDY), to facilitate service delivery. Through electronic Know Your Customer (e-KYC) and Aadhaar-enabled payment options, Aadhaar facilitated a continuous flow of benefits and subsidies directly to beneficiaries, by reducing the need for intermediaries and preventing fund leakages.

Over 500 businesses have adopted Aadhaar for user verification purposes in the banking, insurance and telecom sectors. UIDAI enabled over two billion Aadhaar Face Authentication transactions by August 2025, and its AI solution is utilized by more than 150 government and private entities. 

India’s digital economy has experienced rapid growth due to Aadhaar’s role as an enabler, particularly in assisting with the fast and safe onboarding of clients for use within India’s fintech unicorns — 26 companies worth more than $90 billion combined — through online verification of customers’ identity and ease of completing transactions digitally. 

The rapid rise of Aadhaar has also made it an easy target for cybercriminals. Aadhaar has become a key pillar for delivering public services, as well as many aspects of India’s digital economy. Due to its critical role, Aadhaar poses a significant risk from fraudsters. 

Challenges and risks in the Aadhaar ecosystem

Aadhaar’s centralized database, the Central Identity Data Repository (CIDR), has so far remained uncompromised; yet risks and vulnerabilities arise through the third-party systems it connects to, such as banking, telecom and university applications, enrollment apps, authentication devices and other API-based services.

In 2018, approximately 200 government websites inadvertently disclosed personal Aadhaar data. This was an insider attack with Aadhaar data being accessed by unauthorized personnel working for the government.

In 2024, one state government’s portal was found to be exposing Aadhaar-linked beneficiary data, and the other challenge is application programming interface (API) misuse and weak integration. Some organizations unintentionally expose Aadhaar numbers, dates of birth or addresses through fragile APIs, despite the UIDAI enforcing strict compliance requirements. Aadhaar numbers, casually shared, became tools for exploitation, as cyber criminals have used the Aadhaar numbers to loot their money. 

Aadhaar-enabled SIM Fraud leading to cyber crimes

A majority of financial cybercrimes in India begin with access to fraudulent subscriber identity module cards, commonly known as SIM cards. Cybercriminals gain access to fraudulent SIM cards by providing fake Aadhaar card documents, photocopies of unsuspecting individuals, using morphed Aadhaar cards and exploiting the SIM card issuance process.

A recent study from the Indian School of Business found that many fraudulent SIM cards issued are linked to Aadhaar verification as the primary source of identity and/or residence authentication. SIMs validated in this way serve as a backbone for various cybercrime activities, including KYC fraud, phishing scams and others.

Cybercriminals use Aadhaar data to gain access to genuine customers’ bank accounts by using fake KYC updates, phishing links that mimic verification portals and exploiting Aadhaar demographic data to reset mobile banking credentials. Cybercriminals also use fake Aadhaar cards to open mule accounts, which are then used for financial transactions and crypto transactions. 

Aadhaar for social engineering

Criminals increasingly use Aadhaar to execute social engineering attacks, such as online scams involving impersonation and fraudulent calls/emails to obtain Aadhaar data, which have resulted in millions of financial losses. A retired professor in Hyderabad was defrauded of ₹1,500,000 ($16,705) by cyber fraudsters who claimed that Aadhaar was being misused and that fake Aadhaar cards were being used in land fraud or to create counterfeit identities and avail benefits. 

The Supreme Court’s 2013 ruling made Aadhaar voluntary; yet, subsequent mandates — such as linking Aadhaar to Permanent Account Number (PAN) cards — raise serious concerns about the freedom, autonomy and dignity of citizens. The Aadhaar Act (2016) amended rules to promote ease of living and livelihood, and introduced the Aadhaar Authentication for Good Governance Amendment Rules, 2025, which permit both public and private entities to utilize the Aadhaar Authentication service. However, the amendment raises serious concerns about privacy and the misuse of personal data.

AI, deepfakes and synthetic ID frauds

AI is an emerging technology that may pose a threat to Aadhaar data due to the rapid progress of these technologies and the inadequate control measures or regulations in place to prevent issues from arising. Increasingly, these technologies can enable cybercriminals to create fake biometric data, simulate a complete identity similar to an existing person and create synthetic voices that closely match the original voice, making it easier to compromise security measures. 

Additionally, using AI-generated information allowed fraudsters to build identities appearing to be legitimate by altering demographic information and photographs/biometric information to create a profile that can pass as “real.” The increased use of AI facial recognition technology for Aadhaar Authentication provides an opportunity for the use of deepfake videos, including deepfake technology that can circumvent liveliness detection and allow unauthorized access to accounts.

Without additional protective measures and regulations in place, preventing fraudulent activities related to Aadhaar in the era of AI will become increasingly complex, and even a minor leak could result in identity theft or cyber fraud.

Aadhaar and the quantum risks

The Aadhaar architecture utilizes public-key cryptography methods for the secure storage of encrypted data. However, with the rapid growth of quantum technology, the reliance on Rivest–Shamir–Adleman (RSA), Elliptic Curve Cryptography (ECC) and Advanced Encryption Standard (AES) for encryption makes Aadhaar vulnerable.

Consequently, there is an urgent requirement for a migration strategy for Aadhaar to the Post-Quantum Cryptography (PQC) model. Addressing these risks requires robust governance, strong technical safeguards and privacy-by-design frameworks to secure Aadhaar as critical national infrastructure.

Recent initiatives

The UIDAI has recently launched a redesigned Aadhaar App, featuring enhanced security measures and making it easier for users to manage their digital identity. This improved app functions offline, providing users with easier access to their Aadhaar information, offers a higher level of data protection and gives users multiple secure ways to share their information with others. 

UIDAI established the Aadhaar Data Vault (ADV) to enhance the security of individuals’ sensitive information. The ADV is a secure digital repository that allows individuals to store information related to their Aadhaar account (Aadhaar number, name, phone number, etc) with stringent encryption and controlled access.

The recently released framework called “Aadhaar Vision 2032” serves as the roadmap for constructing and defining the digital identity of Indian citizens over the next decade. Furthermore, the recent deactivation by UIDAI of 20 million Aadhaar numbers of deceased individuals is a prime example that demonstrates the regular update of the Aadhaar database to weed out nonexistent ID card holders and prevent/reduce the misuse of the digital ID card.

Finally, UIDAI has made registration mandatory for all entities using Aadhaar-based verification to boost accountability and prevent its misuse. UIDAI is considering a rule that would stop private organizations from storing Aadhaar photocopies as it shifts to a more secure digital verification system.

The way forward

Aadhaar has become a vital component in India’s digital infrastructure development, facilitating the delivery of services to its citizens. To develop an improved Aadhaar-based digital service ecosystem, the UIDAI must create a Multi-Layer Authentication Framework for Aadhaar users that utilizes PQC to ensure continuity of service, even if a user has lost access or compromised any one method of verification (biometric data, one-time passwords, personal identification number).

As cybercriminals increasingly utilize generative AI, the UIDAI must begin to prepare for AI-enabled fraudulent activity. UIDAI needs to invest in even more advanced forms of technological security that protect against the actions of these types of cyber criminals, including the continued development of liveliness detection technology.

Another way to enhance identity security while preserving user privacy is by utilizing behavioral biometrics (i.e., typing speed, touch pressure, device movement or voice cadence). These biometric methods are inherently much more difficult for a fraudster to replicate than traditional biometric methods.

Aadhaar’s efficiency depends on its ability to address various risks associated with challenges, such as advanced cyber-attacks, post-quantum cyber-attacks, large-scale data breaches, AI-based identity theft, escalating privacy legislation and data misuse. The possibility of being unable to authenticate ourselves when needed, along with inconsistent governance levels throughout the entire Aadhaar ecosystem, is another concern.

The Aadhaar infrastructure must be built upon, strengthened and expanded to face the newer challenges. The Aadhaar system will need to be continually updated to protect against the risks posed by rapidly evolving technologies, which will require an investment in developing a sophisticated and secure cybersecurity framework.

[Casey Herrmann edited this piece.]

The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.