E-Sign Online electronic signature service, offers applications, a mechanism to replace manual paper-based signatures by integrating this service within their applications. An Aadhaar holder can electronically sign a form/document anytime, anywhere, and
on any device. E-Sign service facilitates significant reduction in paper handling costs, improves efficiency, and offers convenience to customers.
Document content that is being signed is not sent in the clear to eSign service provider. The privacy of signer's information is protected by sending only the one-way hash of the document to eSign online electronic signature service provider. Each signature
requires a new key-pair and certification of the new public key by a certifying authority. This back-end process is completely transparent to the signer. In addition, Aadhaar eKYC data is not sent back to the Application
Service Provider and is retained only within the eSign provider as eKYC audit record.
Yes. The electronic signatures facilitated through eSign online electronic signature services are legally valid, provided the eSign signature framework is operated under the provisions of Second schedule of the Information Technology Act and guidelines
issued by the controller. Please refer electronic signature or electronic authentication technique and procedure rules, 2015 e-authentication technique using Aadhaar e-KYC services.
At present, eSign online electronic signature service is offered by CAs. The security requirement for this service is mandated at the same level as currently mandated for CAs. A CA should sign KYC User Agency (KUA) agreement with UIDAI to enable access
to e-KYC service.
The communication between Application Service Provider and eSign- online electronic signature service is operated in accordance with eSign API specifications issued by CCA.
Customer’s consent is mandatorily prompted before electronically signing the document. As per the Aadhaar Act 2016, the consent of the customer shall be prompted before authentication with UIDAI. Also customer consent
is must for linking Aadhaar number with bank account number.
In the application implementation, an individual is identified using a code or number instead of name. For example in the case of income tax e-filing, the person is identified by a PAN number. It is a challenge for application to ensure that the individual
who has logged in using PAN id is the person who has signed the documents. Mapping (seeding) the individual’s application specific ID with their Aadhaar number in the ASP database is recommended to enable the authenticity
of the signature.
Upon the biometric or OTP authentication of the individual with the already verified information kept in the database of UIDAI, key pairs are generated and public key along with information received from UIDAI are submitted to CA for certification. Immediately
after signature is generated with the private key of individual, the key pairs are deleted. The key pairs are generated on secure hardware security module to ensure security and privacy. Audit log files are generated for
all events relating to the security of the eSign- online electronic signature service. The security audit logs are automatically collected and digitally signed by ASPs. All security audit logs, both electronic and non-electronic,
shall be retained and are audited periodically.
