digital indians

UPI upgrade aims to let India’s smartphone users make payments using Aadhaar-linked fingerprints

The next update to the digital payment system could come with biometric authentication as an alternative to PINs.

The United Payments Interface, a digital application that allows users in India to transact across 30 banks using their smartphones, is set for a big overhaul. It may allow users to authenticate transactions using the scans of their irises or fingerprints linked to their Aadhaar numbers, according a draft paper published by the National Payments Corporation of India, an umbrella organisation of banks that has developed the interface. Aadhaar is the 12-digit biometrically linked unique identification number that the government wants every Indian resident to have.

So far, payments on UPI require a Personal Identification Number. Launched in August 2016, the interface had gained popularity after Prime Minister Narendra Modi demonetised 86% of currency in circulation in November.

According to the paper, two other features could be introduced soon. First is the ability to automate recurring payments, similar to the way customers give their banks standing instructions to transfer money on a regular basis to a particular entity. The draft paper also suggests a feature that will protect consumers against hoax entities pretending to be merchants. Through this feature, bankers will have to ensure that a merchant demanding money is registered with the National Payments Corporation of India and partner banks. Entities that are not registered will be able to send transaction requests too, but the United Payments Interface is likely to flag those requests with a warning.

The paper was released largely for coders and developers. It was reviewed by and it suggests that the service could use Aadhaar-linked biometrics to bypass the use of Personal Identification Number or PIN to authorise transactions. The paper says this could result in more efficiency as users often forget their PIN, or make mistakes while entering it to authenticate transactions.

The draft paper states: “While PIN has been used across the payment systems, the issues related to this such as users having to remember multiple PINs, forgetting PIN or entering wrong PIN have been the major cause of the transaction declines.”

The paper adds that there is an additional security concern in case of phone theft when the thief could make a transaction by simply entering the PIN – all of which, the paper claims, could be fixed by allowing for biometric authentication. This feature, however, is going to be optional as the PIN will remain the default authentication source for those unwilling to move to biometrics, the paper states.

“Biometrics is emerging as an effective mechanism to both identifying users as well as authorising any financial transactions,” it adds, giving the example of the Unique Identification Authority of India, which has generated 116 crore 12-digit Aadhaar numbers using biometrics.

The United Payments Interface integrates bank accounts with mobile phone numbers and allows people to pay or receive money in real time through the mobile apps of their respective banks, or through common apps such as Bhim and PhonePe. This payment mode saw a surge in usage after demonetisation as depicted in the chart below, with more than 1.6 crore transactions a month taking place on the United Payments Interface platform.

For the second version of the payments interface, the government is hoping that mobile manufacturers will soon start producing phones with biometric capabilities that are compatible with Aadhaar.

This will allow the United Payments Interface’s own biometric authentication to go through seamlessly by linking it through Aadhaar’s central depository of biometrics, which can verify a user’s biometrics and provide the approval for the transaction if the biometrics match, or decline a transaction in case it does not.

Here is the proposed transaction flow, according to the draft document put out by the National Payments Corporation of India.

Transaction flow for a biometrics-based United Payments Interface transaction.
Transaction flow for a biometrics-based United Payments Interface transaction.

As seen in the chart above, the process flow will involve a user opting for biometric authentication instead of a PIN to authenticate transactions. When the user makes a transaction, their biometric input such as fingerprints or iris scans will be forwarded to the Unique Identification Authority of India, which will then verify it with its own database and reply with a yes/no response. If the response is positive, the banks of the two entities involved in the transaction are debited and credited.

“This functionality will be available to the entire UPI ecosystem and users with compatible smartphones shall be able to use this as an alternative to authorize transaction. Inclusion of Iris authentication and fingerprint into UPI will not only make payments more secure but will also take a huge leap towards integrating next generation technology with current payments system.”

— National Payments Corporation of India's draft paper on UPI 2.0

However, it is not as if the use of biometrics to authenticate financial transactions is not without concerns. On Sunday, the Uttar Pradesh Police arrested 10 men in connection with a racket in which they created fake Aadhaar numbers after they cloned biometrics of Aadhaar enrolment operators to access the Unique Identification Authority’s official client application.

In its defence, the Aadhaar authority said in a press release on Monday that it filed the First Information Report in the Uttar Pradesh case itself and its system is “robust” enough to detect “anomalies and abnormal activities” in the enrollment process. It added that its systems and data cannot be breached. The agency said that this is because it only accepts Unique Identification Authority of India-certified devices for the enrollment and authentication of individuals. However, if the device is not as per the authority’s standards, the system rejects the attempt to breach the system automatically, the authority added.

A representative of the corporate communications division of the National Payments Corporation of India said on the phone that the organisation would not comment on the draft at this stage. An email questionnaire to National Payments Corporation of India went unanswered and this report will be updated if and when the organisation responds to the queries.

Recurring payments made easy

The document also pointed to the possibility of the United Payments Interface ecosystem allowing users to make recurring payments such as bills for utilities or credit cards using standing instructions. The update is likely to allow users to permit their accounts to be debited by their respective billing companies, and the money will be transferred in real time using the United Payments Interface each time the bill is due without the customer having to intervene.

The draft states that even as the United Payments Interface currently offers the quick response or QR code functionality already to receive or send money, the next version will likely come with the ability to do the same for recurring payments.

Introducing trust

Another change that could come in UPI 2.0 is the introduction of “trusted sources”, which refers to merchants who can register with the National Payments Corporation of India to guard their customers against fraudulent entities pretending to be them. This system will be called “signed intent” as each collection request from a registered merchant will come with a digital signature of the bank verifying that they are real.

This is likely to be done by registering merchants with the National Payments Corporation of India and banking partners. Afterwards, any collect request from the merchant will be verified against their registered key at the bank, and the user will get a signed notification to be able to transfer money securely.

In case the request cannot be verified as one made from a trusted source, the application for the United Payments Interface will flag those requests with a warning. The draft suggests that this will allow people to be sure that the entity they are paying using the interface is a legitimate one.

We welcome your comments at
Sponsored Content BY 

The ordeal of choosing the right data pack for your connectivity needs

"Your data has been activated." <10 seconds later> "You have crossed your data limit."

The internet is an amazing space where you can watch a donkey playing football while simultaneously looking up whether the mole on your elbow is a symptom of a terminal diseases. It’s as busy as it’s big with at least 2.96 billion pages in the indexed web and over 40,000 Google search queries processed every second. If you have access to this vast expanse of information through your mobile, then you’re probably on something known as a data plan.

However, data plans or data packs are a lot like prescription pills. You need to go through a barrage of perplexing words to understand what they really do. Not to mention the call from the telecom company rattling on at 400 words per minute about a life-changing data pack which is as undecipherable as reading a doctor’s handwriting on the prescription. On top of it all, most data packs expect you to solve complex algorithms on permutations to figure out which one is the right one.


Even the most sophisticated and evolved beings of the digital era would agree that choosing a data pack is a lot like getting stuck on a seesaw, struggling to find the right balance between getting the most out of your data and not paying for more than you need. Running out of data is frustrating, but losing the data that you paid for but couldn’t use during a busy month is outright infuriating. Shouldn’t your unused data be rolled over to the next month?

You peruse the advice available online on how to go about choosing the right data pack, most of which talks about understanding your own data usage. Armed with wisdom, you escape to your mind palace, Sherlock style, and review your access to Wifi zones, the size of the websites you regularly visit, the number of emails you send and receive, even the number of cat videos you watch. You somehow manage to figure out your daily usage which you multiply by 30 and there it is. All you need to do now is find the appropriate data pack.

Promptly ignoring the above calculations, you fall for unlimited data plans with an “all you can eat” buffet style data offering. You immediately text a code to the telecom company to activate this portal to unlimited video calls, selfies, instastories, snapchats – sky is the limit. You tell all your friends and colleagues about the genius new plan you have and how you’ve been watching funny sloth videos on YouTube all day, well, because you CAN!


Alas, after a day of reign, you realise that your phone has run out of data. Anyone who has suffered the terms and conditions of unlimited data packs knows the importance of reading the fine print before committing yourself to one. Some plans place limits on video quality to 480p on mobile phones, some limit the speed after reaching a mark mentioned in the fine print. Is it too much to ask for a plan that lets us binge on our favourite shows on Amazon Prime, unconditionally?

You find yourself stuck in an endless loop of estimating your data usage, figuring out how you crossed your data limit and arguing with customer care about your sky-high phone bill. Exasperated, you somehow muster up the strength to do it all over again and decide to browse for more data packs. Regrettably, the website wont load on your mobile because of expired data.


Getting the right data plan shouldn’t be this complicated a decision. Instead of getting confused by the numerous offers, focus on your usage and guide yourself out of the maze by having a clear idea of what you want. And if all you want is to enjoy unlimited calls with friends and uninterrupted Snapchat, then you know exactly what to look for in a plan.


The Airtel Postpaid at Rs. 499 comes closest to a plan that is up front with its offerings, making it easy to choose exactly what you need. One of the best-selling Airtel Postpaid plans, the Rs. 499 pack offers 40 GB 3G/4G data that you can carry forward to the next bill cycle if unused. The pack also offers a one year subscription to Amazon Prime on the Airtel TV app.

So, next time, don’t let your frustration get the better of you. Click here to find a plan that’s right for you.


This article was produced by the Scroll marketing team on behalf of Airtel and not by the Scroll editorial team.