[jace]

The numbers are not generated on the client side. An enrollment packet is, containing biometrics and demographics, for which a number will be generated using biometric deduplication server-side.

The catch: only residents (not citizens) of India are authorised to have a number. Because one person technically cannot have more than one Aadhaar number (reality: ha!), the theory is that a government subsidy database needs one unique Aadhaar number per beneficiary.

This theory breaks down when you enroll an individual who does not need an Aadhaar number because they are not a resident. That number can be misused by another resident to get a second entry into the database, and it's a perfectly legitimate number linked to an Indian phone number that can receive an OTP and behave indistinguishably from a resident.

Fake enrolments are the equivalent of a hack of the US SSN system that would allow anyone anywhere in the world to make an SSN for themselves. What could they possibly do with that?