[shripadk]

By authenticate I mean Aadhaar transaction authentication. Say you are filing your tax returns. There are currently three ways to authenticate that the tax return was indeed filed by you:

1. You take a print out of the acknowledgement, sign it and send it to a centralised tax processing unit.

2. You purchase a digital signature and sign it using the same (requires you to be slightly tech savvy). Not to mention the cost of acquiring the digital signature and the fact that you need to keep renewing it every few years.

3. Just authenticate using your Aadhaar number. An OTP will be sent to your mobile number and you just need to enter the same on screen. Once verified, you have digitally signed and submitted your tax return.

I find option 3 really appealing. This is just one practical example of where one can use Aadhaar and OTP for authentication.

[captn3m0]

I've filed my tax returns with just my PAN card and without using a DSC. This might be different for a registered organization where CAs must handle DSCs I think, but you could file your Individual taxes without printing/using a DSC/Aadhaar by just creating a new account linked to your PAN.

The fact that they used OTP (and tout it as a security feature) is so disheartening.

I am not the SIM card in my phone. Switching legal consent to a mere 6 digit OTP is a terrible idea. Even more so because SMS is unencrypted and terrible way of sending secrets. There is no recourse in the law for someone stealing your phone and signing away your entire property once e-Sign comes in force everywhere.

I'm just tempted to take a large strength antennae and build a Aadhaar-OTP Wardriving tool.

[shripadk]

> The fact that they used OTP (and tout it as a security feature) is so disheartening

I do not anywhere mention it as a security feature. I actually mention that I find it appealing as I don't want to go through the hassle of obtaining a DSC just to verify my returns. Everifying through Aadhaar is simpler. To expect someone to hack it is quite remote as it would require knowledge of multiple things: my Aadhaar number, access to my network, knowing the date and time of when I decide to file my returns, having to utilise the OTP before i use it or it expires. It's possible for a really concerted attacker but then I start to question his sanity. It's much easier to just break into my home and get me to sign at gunpoint. ;)

[shripadk]

I should have been more clear. I'm talking about after filing of returns. You have to verify it. It's either sending the signed acknowledgement to CPC or everify it digitally. Have you sent the signed acknowledgement to CPC? It's mandatory to send acknowledgement to CPC if you haven't digitally signed it using DSC or Aadhaar. Please check with your CA as the rules are same for personal and corporate income tax.

EDIT: Procedure to verify your submitted tax return: https://www.hrblock.in/guides/itrv-download-guide/

[captn3m0]

Ahh, thanks for the clarification. My bank supported e-Verify (EVC on the link you gave) via netbanking so it worked out.

Apparently, there are other EVC methods as well (ATM/mutual fund)

[shripadk]

> There is no recourse in the law for someone stealing your phone and signing away your entire property once e-Sign comes in force everywhere.

I agree with you on this. Currently however, this is how it is with everything online. Take any 2-FA service. It's either SMS based or through Google authenticator/yubikey etc. To expect non tech savvy people to use yubikey or Google authenticator is going to be a hardsell.

> I'm just tempted to take a large strength antennae and build a Aadhaar-OTP Wardriving tool.

Hahaha! Provided you know the Aadhaar number for the associated OTP as well ;)

[captn3m0]

I agree that the alternative is not great either. But when you design a system for a billion people, you need to take into account how easily people can be phished in India for OTPs.

Wardriving Plan:

1. Google for '"Mera Aadhaar, Meri Pehchaan" filetype:pdf'

2. Find someone working at UIDAI on that list