Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Aadhaar biometric lock explained: How it prevents biometric fraud

February 09, 2026 5 min read Polity & Governance Science & Technology GS Paper II (Government Policies and Interventions) GS Paper III (Science & Technology Cyber Security)
On This Page

What Happened

  • UIDAI highlighted its biometric lock feature as a key safeguard against Aadhaar-linked fraud, allowing users to disable fingerprint and iris-based authentication.
  • When biometric lock is enabled, no agency -- bank, telecom operator, or government department -- can authenticate an individual using their biometric data.
  • Users can temporarily unlock biometrics via OTP verification when needed for a specific transaction, after which the system auto-locks.
  • The feature is particularly relevant given rising cases of Aadhaar Enabled Payment System (AePS) fraud through biometric cloning, with approximately 29,000 AePS fraud incidents reported on the National Cyber Crime Reporting Portal.
  • UIDAI also provides a Virtual ID feature and Aadhaar authentication history for additional security layers.

Static Topic Bridges

The Aadhaar system, administered by the Unique Identification Authority of India (UIDAI), is governed by the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. Its constitutional validity was upheld by a 4:1 majority of the Supreme Court in K.S. Puttaswamy v. Union of India (2018).

  • Section 3 of the Aadhaar Act requires every resident to obtain an Aadhaar number by submitting demographic and biometric information (all 10 fingerprints, iris scans, and a facial photograph).
  • Section 7 provides that the government may require Aadhaar authentication for receipt of subsidies, benefits, and services funded from the Consolidated Fund of India.
  • Section 28 prohibits the core biometric information (fingerprints and iris scans) from being shared with anyone for any reason whatsoever.
  • Section 29 restricts sharing of identity information and authentication records.
  • The Supreme Court in Puttaswamy (2018) upheld the Act but struck down Section 57 (which allowed private entities to use Aadhaar), bank account linking, and SIM card linking as disproportionate to the right to privacy.
  • The Act was passed as a Money Bill under Article 110, a classification that Justice D.Y. Chandrachud (in his dissent) held was incorrect, though the majority did not adjudicate this question.

Connection to this news: The biometric lock feature operationalises the data protection provisions of the Aadhaar Act, particularly Section 28's prohibition on sharing core biometric data. By giving users control over when their biometrics can be used for authentication, UIDAI addresses a practical gap between legal protections and ground-level vulnerabilities.

Right to Privacy and Data Protection

The right to privacy was declared a fundamental right under Article 21 of the Constitution by a unanimous nine-judge bench of the Supreme Court in K.S. Puttaswamy v. Union of India (2017). This landmark judgment laid the jurisprudential foundation for evaluating all state actions involving personal data, including biometric data.

  • The Court established a three-fold test for evaluating privacy infringements: (i) legality -- the action must be backed by law; (ii) necessity -- the action must be necessary for a legitimate state aim; (iii) proportionality -- the action must be proportionate to the aim sought.
  • The Digital Personal Data Protection Act (DPDPA), 2023 provides the statutory framework for data protection, defining data fiduciaries, data principals, and their respective obligations.
  • Under the DPDPA, government-issued identification numbers including Aadhaar are classified as personal data. Data fiduciaries must ensure reasonable security safeguards and notify the Data Protection Board and affected persons in case of a breach.
  • The DPDPA 2023 grants data principals (individuals) rights including: right to obtain information about data processing, right to correction and erasure, and right to grievance redressal.
  • Limitation: Section 17(2)(a) of DPDPA exempts the State from certain data principal rights when processing data for purposes of sovereignty, security, or public order.

Connection to this news: The biometric lock feature aligns with the privacy framework established by the Puttaswamy judgment and the DPDPA by giving individuals practical control over their biometric data. However, the existence of approximately 29,000 reported AePS fraud cases highlights the gap between legal rights and actual data security.

Aadhaar Enabled Payment System (AePS) and Digital Financial Inclusion

AePS is a bank-led model that allows online interoperable financial transactions at Point of Sale (PoS) or micro-ATMs through any bank's Business Correspondent using Aadhaar authentication. It is managed by the National Payments Corporation of India (NPCI).

  • AePS enables basic banking transactions -- cash withdrawal, balance inquiry, fund transfer -- using only Aadhaar number and fingerprint authentication.
  • It is designed for financial inclusion in areas with limited banking infrastructure, targeting Jan Dhan account holders and direct benefit transfer (DBT) recipients.
  • Fraud modus operandi: Biometric information uploaded on state government property registration websites is downloaded by criminals and "cloned" using silicone moulds to carry out unauthorised withdrawals. AePS frauds contributed to approximately 11% of financial cybercrimes reported in 2023.
  • NPCI has mandated additional security measures including two-factor authentication and transaction limits.
  • The Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs coordinates the response to AePS fraud at the national level.

Connection to this news: The biometric lock feature directly addresses the primary vulnerability exploited in AePS fraud -- unauthorised biometric authentication using cloned fingerprints. By allowing users to keep biometrics locked by default and unlock only when personally initiating a transaction, the feature eliminates the window of opportunity for fraudsters.

Key Facts & Data

  • Aadhaar covers over 1.39 billion enrollments as of 2025, making it the world's largest biometric ID system.
  • Approximately 29,000 AePS fraud incidents have been reported on the National Cyber Crime Reporting Portal.
  • AePS fraud accounted for approximately 11% of financial cybercrimes reported in 2023.
  • The Aadhaar Act was upheld by a 4:1 Supreme Court majority in K.S. Puttaswamy v. Union of India (2018), with Section 57 struck down.
  • Section 28 of the Aadhaar Act prohibits sharing of core biometric data (fingerprints, iris scans) with anyone.
  • The DPDPA 2023 classifies Aadhaar as personal data with associated fiduciary obligations.
  • UIDAI provides three security features: biometric lock/unlock, Virtual ID (a temporary 16-digit number), and authentication history review.
  • Biometric data, once compromised, cannot be changed like a password or PIN -- making preventive locking critical.