Why should I even worry about Aadhaar security?

Because your Aadhaar number is connected to nearly every part of your financial and civic identity. Bank accounts, PAN card, mobile SIM registrations, mutual fund folios, LPG subsidy, income tax returns, EPF, passport applications, driving licence records, MGNREGA wage payments, property registrations in some states, digital health IDs under Ayushman Bharat. No other identification document in India touches as many systems simultaneously. If your voter ID gets compromised, the damage is limited to electoral rolls. If your driving licence number leaks, the practical risk is low. But if your Aadhaar is misused, the blast radius covers your finances, your government benefits, your telecom connections, and your credit history, all at once.

The numbers tell a disturbing story. The National Crime Records Bureau records thousands of identity fraud cases tied to Aadhaar every year, and those are only the ones that get reported. The actual incidence is certainly higher, because many victims either do not realise their Aadhaar has been misused or do not believe the complaint process will lead anywhere, so they stay silent. A 2018 investigation by The Tribune newspaper found that access to the Aadhaar database was being sold for Rs 500 by unauthorised agents. Security researchers found multiple state government websites displaying Aadhaar numbers of beneficiaries in plain text on public-facing pages. Databases containing Aadhaar numbers have appeared on dark web forums, sometimes bundled with names, addresses, and phone numbers.

UIDAI has disputed some of these reports and has tightened security measures since 2018, including adding layers of encryption, restricting the number of entities with authentication access, and introducing features like Aadhaar Lock and Virtual ID. But the history of incidents has established a pattern: the system-level protections are not enough on their own. You need to activate the user-level protections yourself.

Most people have not.

A UIDAI presentation from 2023 mentioned that Biometric Lock adoption among Aadhaar holders was still in the single digits as a percentage. Virtual ID usage remains low. The authentication history feature, which lets you check if anyone has used your Aadhaar without your knowledge, is virtually unknown among the general public. UIDAI built these tools. Almost nobody uses them. That gap between what is available and what is actually turned on is where the risk lives.

Aadhaar card with digital security shield protecting biometric data

Can someone misuse my Aadhaar number alone?

The short answer is that the number by itself is not enough for the more serious types of fraud, but it is enough to get started. And "getting started" can still cause real damage.

The 12-digit Aadhaar number is not a secret in the way a password is. It has been printed on physical cards, photocopied and submitted at hundreds of offices, shared over email and WhatsApp, and stored in databases of varying security quality. UIDAI itself has said that sharing your Aadhaar number is not dangerous on its own because authentication requires either biometrics (fingerprint or iris) or an OTP sent to your registered mobile number. The number alone does not let someone pass authentication.

That said, the number combined with other details creates opportunities. If a fraudster has your Aadhaar number, your date of birth, your address, and your phone number (all of which can be purchased cheaply from data brokers or scraped from publicly available records), they can attempt to get a SIM card in your name using a corrupted agent at a telecom outlet. With a SIM in your name, they can receive OTPs. With OTPs, they can attempt bank transactions, e-KYC, or government service access.

There are documented cases of SIM swap fraud tied to Aadhaar. There are cases of microfinance loans taken using stolen Aadhaar details. There are cases of government subsidies being siphoned by redirecting Direct Benefit Transfer payments to a different bank account linked to someone else's Aadhaar. In one widely reported case from Rajasthan, over a hundred MGNREGA workers found that their wages had been drawn by someone else using their Aadhaar-linked accounts.

Biometric fraud is rarer because it requires physical cloning of fingerprints or iris patterns, but it is not hypothetical. Police in multiple states have arrested people who used silicone fingerprint moulds to pass Aadhaar-based biometric authentication at banks and ration shops. UIDAI introduced liveness detection to counter this, which checks whether the fingerprint belongs to a living person rather than a mould. The measure has made cloning harder, but no biometric system anywhere in the world has achieved a zero-fraud rate.

The core problem with biometric compromise is that you cannot reset your fingerprints. A stolen password can be changed. A stolen credit card can be replaced. Stolen biometrics are permanent. That is the reason locking your biometrics through UIDAI's tools is not optional. It is the single most effective thing you can do to limit risk.

How do I lock my Aadhaar biometrics?

There are two separate lock features, and understanding the difference between them matters.

Biometric Lock disables only fingerprint and iris-based authentication. OTP-based verification continues to work. Since almost every routine Aadhaar use — bank e-KYC, SIM activation, government portal login, Direct Benefit Transfer verification — works through OTP, there is very little practical downside to keeping Biometric Lock on permanently. The only time you might need to unlock biometrics is if a bank branch insists on fingerprint-based e-KYC instead of OTP-based e-KYC, which still happens at some branches that have not updated their processes.

To enable Biometric Lock: open the mAadhaar app (the official UIDAI app, available on Android and iOS), log in using your Aadhaar number and the OTP sent to your registered mobile, go to the "Biometric Lock" option, and toggle it on. You will receive an SMS confirmation. The same thing can be done through the UIDAI website at myaadhaar.uidai.gov.in under the "Security Settings" section. The whole process takes under two minutes.

Aadhaar Lock is more aggressive. It disables all authentication against your Aadhaar number, both biometric and OTP-based. Nobody can verify your identity through Aadhaar while it is locked, including you. It is the equivalent of putting your entire Aadhaar identity into cold storage. If you need to authenticate, you unlock it through the mAadhaar app (takes about 30 seconds), complete the verification, and lock it again immediately.

The best approach is to keep Biometric Lock on at all times and enable Aadhaar Lock whenever you are not actively in the middle of a verification process. If that sounds excessive, consider that the only time you need Aadhaar authentication is when you are physically present at a bank, telecom outlet, or government office. For the other 99% of the time, your Aadhaar should be locked.

One prerequisite applies to both features: your mobile number must be registered with UIDAI. If the number linked to your Aadhaar is outdated or you never registered one, you will need to visit an Aadhaar enrolment centre to update it. Without a registered number, you cannot lock, unlock, or use any of the self-service security features. Check your registered number by logging into myaadhaar.uidai.gov.in. If the last four digits shown do not match your current phone, get it updated at an enrolment centre before doing anything else. The update is free and typically takes one visit.

Should I use a Virtual ID instead?

Yes. Every time you can.

A Virtual ID (VID) is a temporary, revocable 16-digit number that maps to your Aadhaar but does not reveal your actual 12-digit Aadhaar number to the entity performing the verification. When a bank or telecom company runs e-KYC using your VID, the Aadhaar database confirms your identity, but the company never sees or stores your real Aadhaar number. If that company's database is later breached, your Aadhaar number is not in it.

Generating a VID is simple. Log into myaadhaar.uidai.gov.in, go to the "VID Generator" section, and request a new VID. It will be sent to your registered mobile number. You can also generate it through the mAadhaar app. The VID is valid until you generate a new one. Once you create a new VID, the old one stops working automatically. There is no limit to how many times you can regenerate.

For electronic verification, use the VID wherever the system accepts it. Banks, telecom companies, and government services that use Aadhaar-based e-KYC are supposed to accept VIDs. In practice, most major banks and all large telecom companies do. Smaller entities or individual agents may not be familiar with VIDs and might insist on your "real" Aadhaar number. In those situations, you can try educating them, but if they refuse, use the Masked Aadhaar option instead.

Masked Aadhaar is a downloadable PDF version of your Aadhaar where the first eight digits are replaced with "XXXX XXXX," leaving only the last four digits visible. It is a legally valid identity document and carries the same weight as a full Aadhaar card or e-Aadhaar. Download it from myaadhaar.uidai.gov.in under "Download Aadhaar" by selecting the "Masked Aadhaar" option. Use it for any situation where a physical copy is required: hotel check-in, job application, rental agreement, school admission.

Between VID for electronic use and Masked Aadhaar for physical copies, your actual 12-digit number almost never needs to leave your possession. That is the goal. The fewer places your real number exists, the smaller your exposure.

Is the mAadhaar app safe?

The mAadhaar app is the official mobile application developed by UIDAI. It is available on Google Play and the Apple App Store. It stores a copy of your Aadhaar profile on your phone, locked behind a PIN or biometric authentication (your phone's fingerprint or face unlock, not your Aadhaar biometrics). The app communicates with UIDAI's servers over encrypted connections.

Is it safe to use? Reasonably, yes. UIDAI has had the app audited, and it uses standard security protocols. The data stored on your device is encrypted. The app does not share your Aadhaar information with third-party apps on your phone.

There are practical cautions, though. If your phone is lost or stolen and the thief can bypass your phone's lock screen, they can potentially access your Aadhaar profile within the app. Set a strong PIN within mAadhaar separate from your phone's lock. Do not use 1234 or your birth year. If you lose your phone, log into the UIDAI website and change your security settings from there. Also, download the app only from official app stores. There have been fake "Aadhaar" apps on third-party APK sites that harvest personal information. The official developer name is "Unique Identification Authority of India" on both Android and iOS.

One thing the app cannot do: it cannot be used to change your Aadhaar details (name, address, date of birth, biometrics). For those changes, you still need to visit a physical enrolment centre. The app is a security and access tool, not an editing tool.

Can I check who has accessed my Aadhaar?

Yes, and you should be checking regularly.

UIDAI maintains a log of every authentication request made against your Aadhaar number. You can view up to six months of history at a time. Each log entry shows the date, the time, the type of authentication (biometric, OTP, or demographic), and the name of the entity that requested it.

To access this: go to myaadhaar.uidai.gov.in, log in with your Aadhaar and OTP, and look for the "Aadhaar Authentication History" option. Choose a date range, select the authentication type (or choose "all" to see everything), set the number of records you want to display, and view the results. Each entry should correspond to a verification you actually initiated. You verified your identity at a bank branch on a specific date? That entry should be there. You activated a new SIM last month? There should be a matching log.

Anything you do not recognise is a problem. An authentication entry from a date when you were not at any bank or telecom outlet, or from an entity you have never interacted with, suggests someone used your Aadhaar credentials without your knowledge. If you find something suspicious, do the following in order: take screenshots of every unrecognised entry (you need these as evidence), immediately enable both Aadhaar Lock and Biometric Lock through mAadhaar, and then file a complaint.

The complaint channels are: call UIDAI's helpline at 1947, file a written complaint at help.uidai.gov.in, and if the misuse involved money (a bank account opened in your name, a loan taken, subsidies redirected), also report at cybercrime.gov.in or call the national cybercrime helpline at 1930.

Build this into a monthly routine. Set a calendar reminder. Log in, check your authentication history, and move on. It takes three minutes. If everything matches, good. If something does not match, you have caught it early rather than discovering the damage months later when a collection agent calls about a loan you never took.

Smartphone showing Aadhaar locked biometric settings page

Does masking my Aadhaar number help?

The short answer is yes, but with a qualifier.

A Masked Aadhaar card hides the first eight digits of your 12-digit number, showing only the last four. This means that if you hand a Masked Aadhaar copy to a hotel receptionist, a gym, or an office for identity verification, they can see your name, address, photograph, and the last four digits, but they cannot see or record the full number. If that copy is later mishandled, photocopied by a staff member, or thrown into an unsecured pile of documents, the exposure is limited.

Masking does not make the document less valid. A Masked Aadhaar e-copy downloaded from the UIDAI portal carries the same legal validity as a full Aadhaar card. It has a digital signature from UIDAI. It is accepted for all purposes where an Aadhaar card is accepted as identity proof.

The qualifier is that masking only protects against casual exposure. If someone already has your full Aadhaar number from another source (a previous photocopy, a leaked database, a data broker), masking a new copy does not retroactively protect the number. Masking is a forward-looking defence. Use it for every new interaction where a physical copy is required. For past exposure, the protective measures are Aadhaar Lock, Biometric Lock, and regular monitoring of your authentication history.

One good habit: whenever you submit a physical Aadhaar copy to anyone, write the date and the purpose across the face of the copy in permanent ink. "For XYZ Bank KYC only — March 2026." This makes the copy harder to repurpose and creates a visual record of where it was intended to go. It will not stop a determined fraudster, but it reduces opportunistic misuse and establishes a paper trail if your copy surfaces somewhere it should not be.

How do I file a complaint about Aadhaar misuse?

Speed matters. The faster you act after discovering misuse, the better your chances of limiting damage and recovering any financial loss. Here is the sequence.

First, lock everything. Open mAadhaar and enable both Aadhaar Lock and Biometric Lock immediately. This stops any further authentication against your Aadhaar while you sort out the situation. Then go to myaadhaar.uidai.gov.in and download your authentication history for the past six months. Take screenshots of every entry you do not recognise. Save these to a folder you can access later. They are your primary evidence.

Second, report to UIDAI. Call the UIDAI helpline at 1947. Explain the situation. They will generate a complaint ticket. You can also file a written complaint through the UIDAI grievance portal at help.uidai.gov.in. Do both. The phone call gets you a faster initial response; the written complaint creates a documented record.

Third, if money is involved, report the financial fraud separately. Call the national cybercrime helpline at 1930. This line connects to the Citizen Financial Cyber Fraud Reporting and Management System, which can flag fraudulent bank accounts and trigger freezes on stolen funds. Have your bank account details, the dates and amounts of suspicious transactions, and any information about the fraudster's account ready when you call. If the line is busy, keep trying. Also file a report on the cybercrime.gov.in portal, where you can upload evidence files. And call your bank directly to report the fraud, block any compromised instruments, and request a chargeback.

Fourth, file a First Information Report at your local police station. Bring everything: the authentication history screenshots, your bank statements showing any fraudulent transactions, the complaint numbers from UIDAI and the cybercrime portal, a written chronological account of what happened, and your ID proof. Under Section 173 of the Bharatiya Nagarik Suraksha Sanhita 2023, police must register your FIR for a cognisable offence. If an officer tells you to "file online" or says it is not their jurisdiction, insist. Ask for a written refusal if they refuse. Note the officer's name and badge number. Escalate to the Superintendent of Police if needed.

Fifth, check your credit report. Go to cibil.com and pull your report. Look for any loans, credit cards, or financial accounts you did not open. If you find any, file disputes with CIBIL and with the lending institution directly.

You have legal backing for all of this. The Aadhaar Act 2016 makes impersonation using Aadhaar punishable by up to three years in prison. Tampering with the UIDAI database carries up to ten years. The IT Act covers identity theft as a separate offence. Under the DPDP Act 2023, if an entity leaked your Aadhaar data because of poor security practices, the Data Protection Board can fine them up to Rs 250 crore.

Are those Aadhaar recovery agents legitimate?

No. Almost without exception, they are running a second scam on top of the first one.

The pattern works like this: you lose money through an Aadhaar-related fraud. You file complaints, you post about it on social media, or your details show up in a list that circulates among scam networks. A few days or weeks later, someone contacts you — by phone, by WhatsApp, sometimes even by email — claiming to be a "recovery agent" or an "Aadhaar security consultant" or a representative of some official-sounding organisation. They tell you they can recover your lost money, fix your Aadhaar records, or remove your details from the "black market." All they need is a fee. Sometimes they ask for Rs 2,000. Sometimes Rs 10,000. Sometimes they ask for access to your phone or your Aadhaar OTP as part of the "recovery process."

It is all fraudulent. UIDAI does not charge any fee for complaint resolution. The police and cybercrime cells do not charge fees for investigation. No legitimate government agency will ask you to pay money to fix an identity theft problem. The "recovery agent" is either harvesting your remaining money or collecting your credentials to commit further fraud.

If someone contacts you offering to recover your money or fix your Aadhaar after a fraud incident, hang up. Do not share any information. Do not pay anything. Block the number. If they persist, report the number to your telecom provider and to the cybercrime portal as a separate incident.

The only legitimate channels for Aadhaar-related complaints are UIDAI's helpline (1947), the UIDAI grievance portal (help.uidai.gov.in), the cybercrime.gov.in portal, the 1930 helpline, and your local police station. Everything else is a scam until proven otherwise.

Also, watch out for "recovery agents" who contact victims and offer to get their money back for a fee. That is a second scam layered on top of the first one. UIDAI does not charge fees for complaint resolution. If someone asks for money to fix your Aadhaar problem, hang up.