Aadhaar is no longer a secret — the 12-digit number has been printed, scanned, photocopied and uploaded so many times that treating it as confidential is a losing game. The defender’s mindset in 2026 is different: assume the number is known, and lock down what someone can actually do with it. This guide walks Indian retail users and KYC teams through the four UIDAI-provided controls that genuinely move the needle, plus how to spot misuse and remediate it.
The four protections most people don’t use
UIDAI ships four free controls that, used together, neutralise most Aadhaar-driven fraud: Aadhaar Locking, Biometric Locking, Virtual ID and Masked Aadhaar. Adoption is poor because each protects a different surface and the names sound interchangeable. They are not. Aadhaar Locking blocks all authentication against your UID. Biometric Locking blocks only fingerprint and iris matches — the channel AePS fraud rides on. Virtual ID is a substitute identifier for everyday KYC. Masked Aadhaar is a redacted PDF for physical paperwork.
Aadhaar Locking — what it is and how to do it
Aadhaar Locking disables authentication against your UID number entirely. Once locked, nobody (including you) can run eKYC, demographic match or OTP-based authentication using your 12-digit Aadhaar until you unlock it. Your linkages — bank account, PAN, SIM — are untouched; existing services keep working. Only new authentication requests fail.
Online via uidai.gov.in
Visit myaadhaar.uidai.gov.in, sign in with Aadhaar + OTP, and choose Lock/Unlock Aadhaar. You’ll set up a 16-digit Virtual ID as a side effect — keep it noted because once Aadhaar is locked, only VID works for any future authentication you do choose to run.
SMS to 1947
From your Aadhaar-registered mobile number, send the following format messages to 1947:
GETOTP <last 4 digits of Aadhaar>— you receive a 6-digit OTP.LOCKUID <last 4 of Aadhaar> <6-digit OTP>— Aadhaar locks.UNLOCKUID <last 6 of VID> <6-digit OTP>— to unlock later.
What locking blocks: eKYC, demographic authentication, OTP-based authentication keyed to your UID. What it doesn’t block: PVC card delivery, your existing bank/SIM linkages, statutory access by authorised agencies, or anything done through your VID (which is the whole point — you can still authenticate when you want to, using VID).
Biometric Locking — the more important one
If you only do one thing after reading this, do this. Biometric Locking is separate from Aadhaar Locking and blocks all fingerprint and iris-based authentication against your Aadhaar. This is the single most useful defence against AePS (Aadhaar enabled Payment System) fraud, where attackers use cloned or skimmed fingerprint impressions at a Banking Correspondent’s micro-ATM to silently withdraw cash from your linked bank account — a pattern that has cost pensioners and welfare recipients thousands of crores in aggregate.
Enable it at myaadhaar.uidai.gov.in → Lock/Unlock Biometrics, or in the mAadhaar app under the same menu. It takes thirty seconds. When you genuinely need biometric KYC — say a new SIM activation or a property registration — unlock it, complete the transaction, and re-lock. UIDAI also offers a 10-minute auto-relock option in mAadhaar; use it.
Virtual ID (VID) — when to use it
A VID is a temporary, revocable, 16-digit number that maps to your Aadhaar without revealing it. Any agency that accepts Aadhaar for authentication is required to accept VID. You generate a new one whenever you want; the old one expires automatically. This is your everyday-use identifier.
Use VID instead of your raw Aadhaar number for:
- Telecom KYC and new SIM activation
- Employer onboarding and EPFO updates
- Hotel check-in (where ID is mandatory)
- Insurance and mutual fund KYC
- Any one-off authentication where you don’t trust the operator to dispose of records cleanly
Generate via mAadhaar (My Aadhaar → Generate VID), via SMS to 1947 with GVID <last 4 of Aadhaar>, or at myaadhaar.uidai.gov.in. Regenerate every few months — it costs nothing and limits the blast radius if a VID leaks.
Masked Aadhaar — for physical photocopies
When a hotel or a courier insists on a photocopy of your Aadhaar, hand over a Masked Aadhaar PDF instead. This is an official UIDAI-issued e-Aadhaar where only the last four digits of the UID are visible; the first eight are blacked out. It is legally equivalent to regular Aadhaar for proof-of-identity purposes under the Aadhaar Act, and accepted by all responsible verifiers.
Download from myaadhaar.uidai.gov.in → Download Aadhaar → tick Masked Aadhaar. The PDF is password-protected (first four letters of your name in caps + year of birth). Even with masking, do not share Aadhaar photocopies with informal vendors, second-hand-marketplace buyers, or anyone offering “easy loans” — the last four digits plus a clean photograph of your face and signature is enough to seed downstream KYC fraud.
mAadhaar app — features you’ll actually use
The official mAadhaar app (Android and iOS, published by UIDAI) is the single best place to manage day-to-day Aadhaar operations. Useful features:
- Digital Aadhaar copy — carry it on your phone instead of a printout
- QR code authentication — the verifier scans a QR from your app; no number is spoken aloud or photographed
- Aadhaar profile — view linked mobile, email, address on file
- Order Aadhaar Reprint — PVC card delivered to your address
- Generate VID — on-demand, no SMS round-trip
- Paperless offline eKYC — generate an XML/ZIP package with a share code, valid for limited verification without exposing your UID
- Lock/Unlock Biometrics — already covered above; this is the killer feature
Aadhaar Authentication History — the audit your bank should be doing for you
UIDAI logs every authentication request made against your Aadhaar for the past six months. Go to myaadhaar.uidai.gov.in → Authentication History, pick a date range, and review every entry. Each row shows the requesting Authentication User Agency (AUA), the type (Biometric, OTP, Demographic, e-KYC), and outcome.
Red flags: biometric attempts you don’t recognise (especially from AUAs you have no relationship with), repeated failed attempts in a short window (someone testing copies), or eKYC requests from financial entities you never approached. If you spot one, screenshot the transaction ID, lock biometrics immediately, and file a complaint via 1947 or grievances at uidai.gov.in. Make this a monthly habit — it takes two minutes.
AePS / Aadhaar Pay fraud — the pensioner silent-withdrawal pattern
The dominant Aadhaar-linked fraud in 2025-26 has been AePS silent withdrawals. The pattern: an attacker obtains a fingerprint impression — from a leaked land-records database, a coercive Point-of-Sale terminal, a wax/silicone clone, or a rogue Banking Correspondent — and combines it with the victim’s Aadhaar number (sourced from any of the public PDF leaks). They walk into a different BC’s micro-ATM and withdraw the maximum daily AePS limit, repeatedly, until the linked account is drained. Victims tend to be elderly pensioners and DBT recipients who don’t get SMS alerts in time.
The defence stack is straightforward: keep Biometric Locking on by default (this alone defeats the attack), enable transaction SMS/email alerts on the Aadhaar-linked bank account, monitor Authentication History monthly, and set up biometric lock for any elderly relatives you support. Banks must reverse unauthorised AePS debits under RBI’s customer-protection circular if reported within three working days; the burden of proof shifts after that.
Compliance and your right to remediate
You have multiple statutory routes when something goes wrong. Pick the one that matches the issue:
| Issue | Authority | Remedy | Timeline |
|---|---|---|---|
| Aadhaar misuse / unrecognised authentication | UIDAI — call 1947, file at uidai.gov.in/grievances | Lock Aadhaar + Biometrics; investigation of AUA | Acknowledgement in 7 days; resolution typically 30 days |
| Biometric leak / AePS unauthorised debit | UIDAI + your bank (lodge dispute under RBI customer-protection framework) | Provisional reversal of debit; biometric lock | Report within 3 working days for zero liability |
| Data fiduciary misusing Aadhaar / linked data | Data Protection Board under DPDP Act (once fully operational) | Penalty up to Rs. 250 crore on the fiduciary; correction/erasure rights | Statutory hearing process |
| Financial fraud arising from Aadhaar misuse | National Cyber Crime helpline 1930 / cybercrime.gov.in | Account freeze / fund-trail action via banks | Golden hour: first 60 minutes after debit |
Note the overlay: the Aadhaar Act, 2016 governs UIDAI and authentication ecosystem participants, while the DPDP Act, 2023 governs any entity that processes your personal data — including Aadhaar-linked data. After DPDP is fully notified, the Data Protection Board becomes the right forum for misuse by a private fiduciary (a bank’s KYC team that retained your Aadhaar XML without consent, for example), while UIDAI remains the right forum for authentication-layer issues.
What’s changing in 2026-27
Three shifts worth tracking. First, UIDAI’s next-generation Authentication APIs move more verification on-device, reducing biometric data transmitted to CIDR. Second, Face Authentication (already live for Jeevan Pramaan and some DBT schemes) is expanding as a fingerprint fallback, especially for elderly users; the trade-off is face-spoofing risk, which UIDAI is mitigating with liveness detection. Third, DPDP Section 11’s correction-and-erasure rights start applying to biometric data held by private fiduciaries — expect the first DPDP Board orders against entities that hoard Aadhaar XML past its authentication purpose.
Further reading
- DPDP Act, 2023 — a practical compliance guide
- IT Act and Rules — what still applies after DPDP
- India compliance overview — DPDP, RBI, SEBI, CERT-In
- How to report cybercrime in India — 1930, NCRP and beyond
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.