The cards are irrelevant. What is important is the one-one mapping between a person's UID number (that is assigned after checks for deduplication) and that person's biometrics. Each person gets a unique number and has to present that number along with their biometrics as one factor of authentication -- more security mean requiring multiple authentication modes (as in other means of authentication like ID cards or bank cards with photos etc.).RoyG wrote: How secure is this technology? How hard would it be to duplicate cards?
The crucial point is that the entire thing is useless if there is no internet connection between the point of sale and the UIDAI servers (the INC regime was fudging on this point and creating massive FUDs by claiming that the UID failed in places where there was no internet connections at all). Basically,
1) Citizen present UID number and one or more fingerprints or iris scan
2) The bank software is linked to the UIDAI's libraries that will ensure a secure communication channel to the UIDAI servers and present the UID# + the biometric info.
3) the UIDAI server pulls up the biometrics info from the database with the UID number as the database key, and then compares the fingerprints/iris scan in the database with that in the request
4) if there is more than a N-point match (greater N for higher security, though that could mean more false negatives) then the server returns "yes" (the UID# matches the biometric info) or "no" (the UID# does not match the biometric info).
There is no leakage of any information that is not already provided by the user in public at the point of authentication, and the response over the wire is binary (yes/no) and does not leak information about any other information secured in the UIDAI databases.