India uses its nation-wide biometric ID system Aadhaar to make legally binding digital signatures available to 1.4 billion people. “In 2015, a change in a law removed the need for hardware tokens, which has spurred a great increase in the number of digital signatures,” says Tejas Lagad at identity and security company Nexus Group, an important player in the digitalization of India.
1.4 billion people are included in Aadhaar, which is 99 percent of all Indians age 18 and above. To enroll, a person’s demographic and biometric data, in the form of fingerprint and/or iris scan, are submitted and tied to a 12 digit unique-identity number.
“Aadhaar was first created to link peoples fingerprints to their bank accounts, so that benefits could be sent directly to the bank account – previously, the benefits were handed out via government officers, but this often resulted in money leakage. And now that we have this nation-wide biometric ID system in place, it is prudent to use it for other interesting things,” says Lagad, regional manager for Asia at Nexus.
One of these things is the digital signature. In the year 2000, the Indian government created laws about how transactions can be made legally online, called the Information Technology Act (IT Act).
Read blog post Why Nexus invests heavily in its certificate authority (CA) platform for its 20th anniversary
Hardware tokens a logistical nightmare
“The act said that legally binding digital signatures online are to be made with digital certificates based on people’s Aadhaar ID’s, and issued on hardware, such as smart cards or hard crypto tokens, that people have to carry around. This has been used extensively in India – but the population is large, and distributing the hardware tokens became a logistical nightmare,” says Lagad.
Another problem was that hardware tokens cost money, and not all Indians could afford it.
“There is also no easy way to use hardware tokens with mobile phones, and more than 25 percent of internet usage in India comes through mobile phones,” says Lagad.
Therefore, in 2015 the Indian government decided to also allow cloud-based signature services, without the use of hardware tokens.
“At the moment, eight companies are licensed to be certificate authorities (CAs), that is, they are allowed to issue digital certificates,” says Lagad.
eSign services solve the problems
Four of these licensed CAs also provide the cloud-based signature services, called eSign, to the organizations that want to integrate digital signing into their e-services. Such CAs are called eSign Service Providers (ESPs).
“If, for example, a retail bank wants to enable legally binding digital signing of online transactions, they would buy eSign services from one of the ESPs, and then signing would be seamlessly integrated into the online banking application,” says Lagad.
When the end-user wants to sign a transaction in the online banking application, the bank sends a request to the eSign service provider, which in turn sends the request to the Unique Identification Authority of India’s (UIDAI’s) Aadhaar electronic know your client (eKYC) services. The Aadhaar eKYC services send a one-time password (OTP) to the end-user’s mobile phone, which the end-user then types into the bank application.
“The bank then sends the OTP to the eSign service provider, which verifies the OTP with the Aadhaar eKYC services. If the OTP matches, the UIDAI server returns the eKYC data of the user. Using this data, the ESP creates a one-time digital certificate for the user, and the transaction is signed. OTPs are not the world’s most secure solution, but they are the best for India, since it can be used on really cheap mobile devices and does not require an internet connection,” says Lagad.
A comprehensive software solution
Digital signatures can also be made using fingerprints or iris scans, but these have to be made with special hardware at the service provider’s premises.
Nexus plays an important role in the digitalization of India, since it is the only vendor that has a comprehensive software solution for the CAs that offer the eSign services.
“Our software solution consists of our certificate authority (CA) software Certificate Manager, which is used by numerous organizations all over the world, as well as our eSign Server, which is designed specifically to meet the Indian government’s requirements on cloud-based signatures,” says Lagad.
The Nexus solution was chosen by the Indian Controller of Certifying Authorities (CCA) to be the trusted platform of the Root Certifying Authority of India, which licenses the other CAs that offer eSign services.
Read blog post Nexus is one of the first CA software vendors to launch support for certificate enrollment protocol EST
Exponential growth expected
“Two of the eight licensed CAs have also chosen our solutions, and we are in talking with other prospective CAs. If they opt for a vendor other than Nexus, they could only get the equivalent of our Certificate Manager – they would have to build the equivalent of our eSign Server themselves, since no other CA vendor offers this component.
“We offer a tried and tested solution that complies with the rules of the CCA and Aadhaar, works seamlessly with our CA software, and has a very high throughput. Moreover, Nexus has a development and support center in India with experienced public key infrastructure (PKI) specialists. This ensures high service levels to our customers and assures continuous compliance to the CCA regulations,” says Lagad.
Now that legally digital signatures can be made online without the need for hardware tokens, usage is predicted to grow exponentially.
Offers convenience to customers
“The latest statistics state that the number of legally binding digital signatures online grew 150 percent in four months, from 2 million in October of 2016, to 5 million in February of 2017. And since digital signatures now are easily available to 99 percent of adult Indians, loads of new organizations will soon enable digital signatures in their e-services,” says Lagad.
The organizations that can benefit most from eSign are those that today accept signed documents from a large number of users, for example, central and state government agencies, smart city corporations, banks, insurance companies, lending institutions and telecom companies.
“Since eSign removes the need for a wet signature, it significantly reduces paper handling costs, improves efficiency and offers convenience to customers,” says Lagad.
Read blog post How to complete your customers’ digital journeys with digital signatures