UPI upgrade aims to let India’s smartphone users make payments using Aadhaar-linked fingerprints

The United Payments Interface, a digital application that allows users in India to transact across 30 banks using their smartphones, is set for a big overhaul. It may allow users to authenticate transactions using the scans of their irises or fingerprints linked to their Aadhaar numbers, according a draft paper published by the National Payments Corporation of India, an umbrella organisation of banks that has developed the interface. Aadhaar is the 12-digit biometrically linked unique identification number that the government wants every Indian resident to have.

So far, payments on UPI require a Personal Identification Number. Launched in August 2016, the interface had gained popularity after Prime Minister Narendra Modi demonetised 86% of currency in circulation in November.

According to the paper, two other features could be introduced soon. First is the ability to automate recurring payments, similar to the way customers give their banks standing instructions to transfer money on a regular basis to a particular entity. The draft paper also suggests a feature that will protect consumers against hoax entities pretending to be merchants. Through this feature, bankers will have to ensure that a merchant demanding money is registered with the National Payments Corporation of India and partner banks. Entities that are not registered will be able to send transaction requests too, but the United Payments Interface is likely to flag those requests with a warning.

The paper was released largely for coders and developers. It was reviewed by Scroll.in and it suggests that the service could use Aadhaar-linked biometrics to bypass the use of Personal Identification Number or PIN to authorise transactions. The paper says this could result in more efficiency as users often forget their PIN, or make mistakes while entering it to authenticate transactions.

The draft paper states: “While PIN has been used across the payment systems, the issues related to this such as users having to remember multiple PINs, forgetting PIN or entering wrong PIN have been the major cause of the transaction declines.”

The paper adds that there is an additional security concern in case of phone theft when the thief could make a transaction by simply entering the PIN – all of which, the paper claims, could be fixed by allowing for biometric authentication. This feature, however, is going to be optional as the PIN will remain the default authentication source for those unwilling to move to biometrics, the paper states.

“Biometrics is emerging as an effective mechanism to both identifying users as well as authorising any financial transactions,” it adds, giving the example of the Unique Identification Authority of India, which has generated 116 crore 12-digit Aadhaar numbers using biometrics.

The United Payments Interface integrates bank accounts with mobile phone numbers and allows people to pay or receive money in real time through the mobile apps of their respective banks, or through common apps such as Bhim and PhonePe. This payment mode saw a surge in usage after demonetisation as depicted in the chart below, with more than 1.6 crore transactions a month taking place on the United Payments Interface platform.

For the second version of the payments interface, the government is hoping that mobile manufacturers will soon start producing phones with biometric capabilities that are compatible with Aadhaar.

This will allow the United Payments Interface’s own biometric authentication to go through seamlessly by linking it through Aadhaar’s central depository of biometrics, which can verify a user’s biometrics and provide the approval for the transaction if the biometrics match, or decline a transaction in case it does not.

Here is the proposed transaction flow, according to the draft document put out by the National Payments Corporation of India.

Transaction flow for a biometrics-based United Payments Interface transaction.
Transaction flow for a biometrics-based United Payments Interface transaction.

As seen in the chart above, the process flow will involve a user opting for biometric authentication instead of a PIN to authenticate transactions. When the user makes a transaction, their biometric input such as fingerprints or iris scans will be forwarded to the Unique Identification Authority of India, which will then verify it with its own database and reply with a yes/no response. If the response is positive, the banks of the two entities involved in the transaction are debited and credited.

“This functionality will be available to the entire UPI ecosystem and users with compatible smartphones shall be able to use this as an alternative to authorize transaction. Inclusion of Iris authentication and fingerprint into UPI will not only make payments more secure but will also take a huge leap towards integrating next generation technology with current payments system.”

— National Payments Corporation of India’s draft paper on UPI 2.0

However, it is not as if the use of biometrics to authenticate financial transactions is not without concerns. On Sunday, the Uttar Pradesh Police arrested 10 men in connection with a racket in which they created fake Aadhaar numbers after they cloned biometrics of Aadhaar enrolment operators to access the Unique Identification Authority’s official client application.

In its defence, the Aadhaar authority said in a press release on Monday that it filed the First Information Report in the Uttar Pradesh case itself and its system is “robust” enough to detect “anomalies and abnormal activities” in the enrollment process. It added that its systems and data cannot be breached. The agency said that this is because it only accepts Unique Identification Authority of India-certified devices for the enrollment and authentication of individuals. However, if the device is not as per the authority’s standards, the system rejects the attempt to breach the system automatically, the authority added.

A representative of the corporate communications division of the National Payments Corporation of India said on the phone that the organisation would not comment on the draft at this stage. An email questionnaire to National Payments Corporation of India went unanswered and this report will be updated if and when the organisation responds to the queries.

Recurring payments made easy

The document also pointed to the possibility of the United Payments Interface ecosystem allowing users to make recurring payments such as bills for utilities or credit cards using standing instructions. The update is likely to allow users to permit their accounts to be debited by their respective billing companies, and the money will be transferred in real time using the United Payments Interface each time the bill is due without the customer having to intervene.

The draft states that even as the United Payments Interface currently offers the quick response or QR code functionality already to receive or send money, the next version will likely come with the ability to do the same for recurring payments.

Introducing trust

Another change that could come in UPI 2.0 is the introduction of “trusted sources”, which refers to merchants who can register with the National Payments Corporation of India to guard their customers against fraudulent entities pretending to be them. This system will be called “signed intent” as each collection request from a registered merchant will come with a digital signature of the bank verifying that they are real.

This is likely to be done by registering merchants with the National Payments Corporation of India and banking partners. Afterwards, any collect request from the merchant will be verified against their registered key at the bank, and the user will get a signed notification to be able to transfer money securely.

In case the request cannot be verified as one made from a trusted source, the application for the United Payments Interface will flag those requests with a warning. The draft suggests that this will allow people to be sure that the entity they are paying using the interface is a legitimate one.