This Wednesday saw the Nasscom Aadhaar Developer Track conference. Given this was the developer track where code was being distributed on CDs, I expected to see code demos of how a vendor could use their authorization API. Namely, I would expect to see a live code demo of something like:
1. Assume an Indian resident has registered with Aadhaar and has an UID (there were booths to register if one had proof of ID and residency but the process takes a couple weeks to get back to process the eye scan and other biometrics and send back an UID).
2. Assume you have an authentication key to call the Aadhaar as a client of authorization services.
3. Get yourself a piece of reference hardware – e.g. a well-known eye scanner or fingerprint reader with well tested drivers for Windows/Mac/Linux. (In open systems, it’s super convenient for developers to still have well tested reference hardware – just ask the Android folks).
4. Have the resident do a fingerprint or eye scan
5. Here’s how you the read the encrypted the biometric data from the reference device (i.e. the Aadhaar Biometric Capture Device interface) and prepare it to be sent to the Aadhaar webservice
6. Here’s the code you write to call the web service with the UID biometric data of the user
7. Here’s the Yes or No response you get back telling you whether the user is authenticated.
Honestly, this should be a very simple demo in code (and even simpler if I as an authorization client don’t need to provide any biometric data and just are making a request against using the OTP/one time SMS password API). I was frankly disappointed this was not demonstrated. With 10 million people already registered, there are lots of authentication scenarios that organizations could be building today if this were a well-documented process - e.g. Babajob could be showing our job seekers as UID verified – meaning they have submitted proof of address and identity - which we know will yield them higher salaries.
I don’t think we’ll see many companies and organizations calling these APIs until this process gets damn simple and there are a set of training videos on .NET, Java, Perl, etc with simple instructions for developers: Buy this hardware device. Install this client software on your developer PC. Scan your finger. Call this web API.
This Wednesday saw the Nasscom Aadhaar Developer Track conference. Given this was the developer track where code was being distributed on CDs, I expected to see code demos of how a vendor could use their authorization API. Namely, I would expect to see a live code demo of something like:
1. Assume an Indian resident has registered with Aadhaar and has an UID (there were booths to register if one had proof of ID and residency but the process takes a couple weeks to get back to process the eye scan and other biometrics and send back an UID).
2. Assume you have an authentication key to call the Aadhaar as a client of authorization services.
3. Get yourself a piece of reference hardware – e.g. a well-known eye scanner or fingerprint reader with well tested drivers for Windows/Mac/Linux. (In open systems, it’s super convenient for developers to still have well tested reference hardware – just ask the Android folks).
4. Have the resident do a fingerprint or eye scan
5. Here’s how you the read the encrypted the biometric data from the reference device (i.e. the Aadhaar Biometric Capture Device interface) and prepare it to be sent to the Aadhaar webservice
6. Here’s the code you write to call the web service with the UID biometric data of the user
7. Here’s the Yes or No response you get back telling you whether the user is authenticated.
Honestly, this should be a very simple demo in code (and even simpler if I as an authorization client don’t need to provide any biometric data and just are making a request against using the OTP/one time SMS password API). I was frankly disappointed this was not demonstrated. With 10 million people already registered, there are lots of authentication scenarios that organizations could be building today if this were a well-documented process - e.g. Babajob could be showing our job seekers as UID verified – meaning they have submitted proof of address and identity - which we know will yield them higher salaries.
I don’t think we’ll see many companies and organizations calling these APIs until this process gets damn simple and there are a set of training videos on .NET, Java, Perl, etc with simple instructions for developers: Buy this hardware device. Install this client software on your developer PC. Scan your finger. Call this web API.
