An Open Letter to the Finance Committee: SCOSTA Standards
Introduction
This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that Aadhaar biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.
A background of the two standards
The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:
1. Compliant with the international standard ISO-7816 for smart cards.
2. Based on a public/private key and pin authentication factor
3. Authentication factor refers to an individuals keys, pass-phrases, and pin.
The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:
1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.
2. Based on a symmetric authentication factor
A comparison of the two standards
Standard |
SCOSTA - MNIC smart card |
Aadhaar Biometric - UID number |
Architecture |
Decentralized SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner |
Centralized Aadhaar biometric standards require symmetric authentication factors, and thus must be structured in a centralized manner |
Standards for Technology |
Open standard Creates security through transparency |
Closed standard Creates security though obscurity |
Points of failure |
Multiple points of failure The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost. |
Single point of failure The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost |
Impact on local industry |
Encourages Open standards allow local industry to compete in manufacturing technology |
Discourages Closed standards allow foreign players to monopolize the manufacturing of technology |
Cost analysis |
Cost effective Increased competition keeps prices low |
Cost ineffective Decreased competition keeps prices high |
Revocation | Revocable If the key pair and pin are stolen, a new set of passwords can be issued |
Permanent If the biometrics of an individual are stolen, they cannot be re-issued |
Possibility of fraudulent authentication |
Lower A thief must steal your smart card and your secret pin to commit fraud |
Higher A thief only needs to collect your fingerprints using a glass tumbler to commit fraud |
Viability of Technology | Proven effective for large populations |
Not proven effective for large populations |