India has introduced sweeping changes to its Aadhaar authentication and offline verification regime, expanding the use of digitally verifiable credentials while tightening oversight of entities that handle identity checks.
The Unique Identification Authority of India (UIDAI) has notified new regulations governing Aadhaar authentication and offline verification. Published in the Gazette of India on December 9, 2025, the amendments broaden the scope of offline verification while imposing new compliance obligations on agencies that handle Aadhaar-based processes.
The reforms mark one of the most extensive updates to India’s identity verification architecture since the Aadhaar Act came into force, aiming to enhance privacy safeguards, ensure accountability, and promote the use of secure digital credentials.
Introducing New Forms of Verification: Paperless, Verifiable Credentials and More
The revised rules formally introduce multiple new offline verification methods, expanding beyond simple QR scanning. According to the notification, UIDAI will now permit:
- QR Code verification,
- Aadhaar Paperless Offline e-KYC,
- Aadhaar Verifiable Credential checks,
- e-Aadhaar authentication,
- Offline Paper-based verification, and
- Other methods as approved over time.
A notable addition is the Aadhaar Verifiable Credential, defined as a digitally signed document containing select Aadhaar demographic data. Stored securely and cryptographically validated, the credential is intended to reduce dependence on live database authentication and mitigate privacy risks.
The regulations also introduce “Offline Face Verification”, allowing a captured face image to be matched locally with the Aadhaar holder’s photograph embedded in the credential — without transmitting biometrics over networks.
Registration, Oversight and Penalties for Verification Entities
One of the most consequential changes is the formalization of entities known as Offline Verification Seeking Entities (OVSEs). Any organization seeking to perform offline Aadhaar checks must now apply for registration with UIDAI, provide detailed documentation, and meet technical and procedural standards.
UIDAI is empowered to:
- evaluate applications,
- conduct inspections,
- request clarifications or additional documentation, and
- suspend or revoke access in case of violations.
The notification outlines clear grounds for enforcement, including misuse of verification facilities, failure to follow UIDAI-prescribed standards, non-cooperation during audits, or facilitating identity misuse.
Importantly, entities must be given an opportunity to be heard before punitive action is taken, aligning the rules with principles of natural justice.
Mandatory Surrender Procedures and Transition Obligations
The updated rules introduce a structured process for surrendering verification access, applicable when an OVSE discontinues operations or chooses to exit the ecosystem. Before surrender is approved, UIDAI may require the entity to:
- provide logs of verification transactions,
- hand over grievance redressal records, and
- settle financial obligations with the Authority.
The changes are intended to ensure continuity, traceability and auditability — key elements in preventing misuse of Aadhaar credentials after an entity exits the system.
A Push Toward Secure, Decentralized Identity in India
The reforms reflect India’s shift toward decentralized identity verification, reducing dependency on real-time biometric authentication and encouraging verifiable credentials stored with the user. This aligns Aadhaar with international digital ID trends, balancing usability with privacy and cyber-security concerns.
The UIDAI notification emphasizes that updated rules will “come into force on the date of publication,” signalling immediate operational changes for banks, telecom companies, fintech firms, and any institution relying on Aadhaar-based verification.
