Getting an Aadhaar, updating it, and using mAadhaarAadhaar enrolment, demographic and biometric updates, and the mAadhaar application sit inside a layered statutory regime — the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 read with the Aadhaar (Enrolment and Update) Regulations, 2016 and the Aadhaar (Authentication and Offline Verification) Regulations, 2021 — that the Supreme Court reorganised in Justice K S Puttaswamy (Retd) v Union of India, (2019) 1 SCC 1 by reading down S Aadhaar enrolment under Section 3, demographic andbiometric updates under the 2016 Regulations
[ Everyday Law ]

Getting an Aadhaar, updating it, and using mAadhaar

Aadhaar enrolment, the demographic and biometric update process, and the mAadhaar application sit inside a layered statutory regime — the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 read with the Aadhaar (Enrolment and Update) Regulations, 2016 and the Aadhaar (Authentication and Offline Verification) Regulations, 2021 — that the Supreme Court reorganised in Justice K S Puttaswamy (Retd) v Union of India, (2019) 1 SCC 1 by reading down Section 33 and striking down Section 57 as it then stood. The constitutional anchor remains the nine-judge ruling in Justice K S Puttaswamy (Retd) v Union of India, (2017) 10 SCC 1. This guide walks the enrolment process under Section 3, the demographic and biometric update routes under Regulations 17 to 23 of the 2016 Regulations, the mAadhaar and Offline e-KYC architecture introduced by the 2019 amendment, and the grievance pathway that follows from a UIDAI refusal.

An Aadhaar number is not a citizenship document. Section 9 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 is unusually explicit on the point — the Aadhaar number "shall not, by itself, confer any right of, or be proof of, citizenship or domicile in respect of an Aadhaar number holder". What it is, under Section 3, is a unique identifier issued to every "resident" — a person who has resided in India for a hundred and eighty-two days or more in the twelve months immediately preceding the date of application — on the strength of demographic and biometric information submitted to an enrolling agency. The number itself is generated by the Unique Identification Authority of India (UIDAI), the statutory authority established under Section 11. The architecture is by now familiar to every Indian resident, but the four interlocking statutory layers that govern enrolment, update, authentication and Offline e-KYC — the 2016 Act, the 2016 Enrolment Regulations, the 2021 Authentication Regulations, and the 2020 Good Governance Rules — are not. The Supreme Court's 4:1 ruling in Puttaswamy II, (2019) 1 SCC 1, then read this statutory architecture against the privacy ceiling laid down by the unanimous nine-judge Bench in Puttaswamy I, (2017) 10 SCC 1, and reshaped parts of it — most prominently Section 33 (judicial disclosure) and Section 57 (private-actor authentication). This article sets out, in turn, how to enrol, how to update, how mAadhaar and the Virtual ID work, and what to do when UIDAI refuses.

The statutory architecture — three regulations on top of one Act

The Aadhaar Act, 2016 is the parent statute. Section 3 confers the right to obtain an Aadhaar number on every resident; Section 4 sets the properties of the number — random, unique, and non-transferable; Section 5 confers a duty on UIDAI to take special measures for women, children, senior citizens, persons with disabilities and other groups; Section 6 obliges UIDAI to update the data on the request of the holder; Section 7 is the gateway provision that authorises the Central Government to make Aadhaar authentication a condition for receiving any subsidy, benefit or service drawn from the Consolidated Fund; Section 8 sets up the authentication mechanism; and Section 29 governs the use and protection of identity information and authentication records. Section 33, as read down by Puttaswamy II, permits disclosure pursuant to an order of a court not below the rank of a High Court Judge and after hearing the Aadhaar number holder. Section 57, in the form in which it was struck down, had permitted "any body corporate or person, pursuant to any contract" to demand Aadhaar authentication for establishing an individual's identity — the 4:1 majority in Puttaswamy II held this disproportionate.

The Aadhaar (Enrolment and Update) Regulations, 2016 are the working manual. Regulation 3 lists eligibility; Regulations 4 to 10 cover the demographic and biometric capture process; Regulation 12 covers the issue of the Aadhaar number and the e-Aadhaar; Regulations 13 to 16 cover the role of the enrolling agency and the supervisor; Regulations 17 to 23 cover the demographic and biometric update routes — including the mandatory biometric refresh for children at the ages of five and fifteen years (Regulation 20). Regulation 27 lists the documents accepted as proof of identity, address and date of birth.

The Aadhaar (Authentication and Offline Verification) Regulations, 2021 — replacing the 2016 Authentication Regulations after the post-Puttaswamy II amendments — govern the use of Aadhaar for authentication, the Virtual ID, masked Aadhaar, and the Offline e-KYC architecture. These were notified to give effect to Sections 4(3) and 8A, inserted by the Aadhaar and Other Laws (Amendment) Act, 2019 to provide for voluntary use of Aadhaar by entities outside Section 7.

The Aadhaar Authentication for Good Governance Rules, 2020, notified on 5 August 2020 and amended in November 2022, supply the third tier — they list the purposes for which a Ministry, Department or State Government may, in good governance, allow Aadhaar authentication on a voluntary basis. The Rules and the amendments operate as the secondary-legislation route through which the post-Puttaswamy II voluntary-authentication architecture has been progressively expanded. The UIDAI Master Direction on Enrolment and Update consolidates the operational practice for enrolling and update agencies.

Enrolment under Section 3 — the documents, the centre, the EID

Aadhaar enrolment under Section 3 read with Regulation 4 is on a voluntary basis for the individual — a point that the Puttaswamy II majority emphasised — though it has become a practical requirement for participation in most government programmes through Section 7 notifications. The resident is required to submit demographic information (name, date of birth, gender, address) and biometric information (photograph, fingerprints of all ten fingers, and iris scans of both eyes). Section 2(g) defines "biometric information" as photograph, fingerprint, iris scan and "such other biological attributes of an individual as may be specified by regulations" — the "core biometric information" subset under Section 2(j) and Regulation 8 excludes the photograph and is the subset that may not be shared in any form for any reason whatsoever under Section 29(1).

Regulation 27 specifies the documents that may be furnished. Proof of identity may be the PAN card, passport, driving licence, voter ID, ration card, government photo identity card, or specified service identity card. Proof of address includes the passport, bank or post-office passbook, ration card, voter ID, driving licence, electricity bill, water bill, telephone landline bill, property-tax receipt, gas connection bill, registered sale/lease/rent agreement, signed letter from a bank on letterhead, or a signed letter from a gazetted officer. Proof of date of birth includes a birth certificate, SSLC certificate, passport, or PAN. Where a resident does not possess any of the documents, the enrolment may proceed on the basis of a head-of-family introduction under Regulation 7 (head-of-family route) or through an authorised introducer under Regulation 13.

The resident visits an Aadhaar enrolment centre — these are operated by registrars of UIDAI, typically nationalised banks, post offices and the Common Service Centres. The enrolling agency captures the demographic and biometric data, generates an Enrolment Identification Number (EID), and provides an acknowledgement slip carrying the EID and a date-and-time stamp. The EID is the resident's interim identifier until the Aadhaar number is generated. Generation is not automatic — UIDAI performs a de-duplication check against the Central Identities Data Repository (CIDR), and a number is issued only on a successful clearance. The Aadhaar number is then communicated to the resident by post on the address furnished at enrolment, and the e-Aadhaar may be downloaded from the UIDAI portal using the EID and a one-time password sent to the registered mobile number.

Two practical points. First, enrolment is not a one-attempt process — a resident whose biometric capture fails (a common occurrence for senior citizens and manual labourers whose fingerprints are worn) may be enrolled with a "biometric exception" notation under Regulation 6, with the photograph and one set of demographic data anchoring the entry. Second, an enrolment that is rejected at the de-duplication stage — typically on the suspicion that the resident has enrolled before under a different name or with different demographic data — produces a "rejected" status that the resident has to address by approaching UIDAI's grievance mechanism through the toll-free 1947 helpline, the UIDAI portal, or the regional office.

Demographic update — name, address, date of birth, mobile, email

Regulations 17 to 19 of the 2016 Enrolment and Update Regulations govern the demographic update. The five fields that can be updated through the demographic route are name, date of birth, gender, address, and the linked mobile number and email. The updates can be initiated through three channels — the Self-Service Update Portal (SSUP) for an online update of address with a supporting document, an enrolment centre for any of the five fields, or a postal-update request for address (now largely phased out in favour of the online route).

The number of times each field can be updated is capped. Name can be updated twice in the lifetime of the Aadhaar number; date of birth can be updated only once and only within a narrow band (within plus-or-minus three years of the originally declared date for those who did not have a documentary proof of date of birth at enrolment); gender can be updated once; address can be updated multiple times subject to documentary support. Each update requires the resident's biometric authentication (fingerprint or iris) at an enrolment centre — the SSUP route requires only the OTP-based authentication on the registered mobile number, which is the source of friction for residents whose mobile number is outdated.

This last point is operationally consequential. The mobile-number update is the prerequisite for almost every other update — the OTP on which UIDAI's authentication architecture rests is sent to the registered mobile number, and a resident whose number has changed since enrolment is locked out of the SSUP and the mAadhaar app until the mobile number is re-registered at a physical enrolment centre. Regulation 17(3) treats the mobile number as a "demographic information" field; an update requires biometric authentication at the centre and produces an Update Request Number (URN), used to track the request through the UIDAI portal. The 90-day update cycle that UIDAI advertises is the outer limit; routine address and mobile updates are typically completed within seven working days.

Where a documentary proof of the requested update is not available, the head-of-family route under Regulation 17(2) permits an update with a signed certificate from the head of the family (typically the spouse or a parent), supported by that head's own Aadhaar and proof of relationship. This route is used most often for women who change their name on marriage, and for residents who move into the homes of relatives without an independent proof of address.

Biometric update — the 5/15 refresh and the Section 6 obligation

Regulation 20 of the 2016 Regulations imposes the mandatory biometric refresh for children. A child enrolled below the age of five is issued an Aadhaar number on the basis of the photograph and the demographic information alone, without fingerprint or iris capture — the biometric information of a child under five is treated as not fully formed. The child is required to be brought to an enrolment centre on attaining the age of five for the first mandatory biometric update (MBU-5), and again on attaining the age of fifteen for the second mandatory biometric update (MBU-15). The failure to update results in the Aadhaar number being deactivated under Regulation 26, with the resident required to undergo a fresh authentication for reactivation.

Section 6 of the Act creates a parallel obligation on UIDAI to update demographic and biometric information from "time to time", in such manner as may be specified by regulations, so as to ensure the continued accuracy of the information in the CIDR. This is the textual hook for the periodic re-verification exercises that UIDAI has run — most recently, the document-update push announced in 2023 that asked residents whose Aadhaar was more than ten years old to re-verify documents through the SSUP or at an enrolment centre. The legal status of the request is advisory rather than mandatory in its current form, but a resident who has not refreshed documents in over ten years is on weaker ground if a downstream verification challenge arises.

A biometric update outside the 5/15 refresh — for instance, where a resident's fingerprints have worn or where an iris scan needs to be re-taken because of an eye procedure — is treated as a discretionary update under Regulation 23. The resident attends an enrolment centre, requests a biometric update, and undergoes a fresh capture. Where the existing biometrics fail to authenticate against the CIDR, the resident may need to demonstrate identity through alternative routes — a head-of-family certification, a gazetted-officer letter, or a verifier under Regulation 13.

mAadhaar, Virtual ID and masked Aadhaar — the post-2019 architecture

The 2019 amendment introduced the Virtual ID (VID) under Regulation 6 of the Authentication Regulations, masked Aadhaar under the same regime, and the Offline e-KYC under Section 8A. These three together form what is best understood as the privacy-preserving authentication architecture — a deliberate re-engineering of the Aadhaar use case after the Puttaswamy II ruling on Section 57.

The mAadhaar application — the UIDAI-issued mobile app — is the resident's interface with this architecture. The app allows the resident to download the e-Aadhaar onto the device after one-time authentication; to generate, refresh and revoke a Virtual ID; to access the masked-Aadhaar variant; to perform Offline e-KYC by sharing an XML or QR-code file (without disclosing the underlying Aadhaar number); to lock and unlock the biometric data so that authentication requests are rejected outside permitted windows; and to view the authentication history under Regulation 29. The application is downloaded from the official Google Play or Apple App stores; the registration uses the OTP on the registered mobile number.

The Virtual ID is a temporary, revocable 16-digit number that maps to the underlying Aadhaar number but does not disclose it. Where a requesting entity is permitted to perform authentication under Section 7 or the Good Governance Rules, 2020, the resident may furnish the VID instead of the Aadhaar number. The VID can be generated through the SMS service (sending GVID to 1947 from the registered mobile number), the UIDAI portal, or the mAadhaar app. Each newly generated VID supersedes the previous one — the VID is rotational, not cumulative.

Masked Aadhaar is the e-Aadhaar variant in which the first eight digits of the Aadhaar number are replaced by "X" characters and only the last four digits are visible. Functionally, the masked Aadhaar serves as a proof-of-identity document for situations where the Aadhaar number itself does not need to be disclosed — for example, a journey ticket inspection or a hotel check-in. Under the November 2022 amendment to the Good Governance Rules, the masked Aadhaar (and not the full Aadhaar) is the recommended document for such use.

Offline e-KYC under Section 8A — operationalised through Regulation 17 of the 2021 Authentication Regulations — is the architecture for verifying identity without performing live authentication against the CIDR. The resident downloads an Offline e-KYC XML file (or scans the QR code on the e-Aadhaar) and shares it with the requesting entity, who verifies the file's digital signature locally. The requesting entity receives the demographic information that the resident has chosen to share; it never connects to the CIDR. The architecture is the post-Puttaswamy II answer to the private-sector authentication question — Section 57 was struck down to prevent live authentication, but Offline e-KYC operates through a digitally-signed document and does not implicate the CIDR.

The Section 7 gateway — and where Aadhaar is mandatory

Aadhaar is mandatory where Section 7 has been invoked. Section 7 authorises the Central Government to make Aadhaar authentication a condition for receiving "any subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India". The Puttaswamy II Bench (Sikri J for the plurality of Khanwilkar, Bhushan and himself; Ashok Bhushan J concurring; Chandrachud J dissenting) upheld Section 7 as proportionate. The notifications issued under Section 7 cover the Public Distribution System, LPG subsidy, scholarship schemes, MGNREGS wages, EPF withdrawals, the social-security pension schemes, and a number of others.

Aadhaar is also mandatory under Section 139AA of the Income-tax Act, 1961 for residents who are required to file an income-tax return — the Aadhaar–PAN linkage that the Supreme Court upheld in Binoy Viswam v Union of India, (2017) 7 SCC 59 on Article 14 and Article 19 grounds, with the Article 21 challenge held over to be resolved in the Puttaswamy matter and ultimately sustained in 2019. The Income-tax Department's operational position is that an unlinked PAN is "inoperative" — payments to the holder may attract higher TDS rates, and the holder may face restrictions on banking and investment transactions.

Outside Section 7 and Section 139AA, Aadhaar is voluntary. The 2019 amendment introduced Section 4(3) — providing for voluntary use of Aadhaar by entities other than under Section 7 — and Section 8A — operationalising the Offline e-KYC framework. The Good Governance Rules, 2020 list the purposes for which a Ministry, Department or State Government may, in good governance, allow Aadhaar authentication on a voluntary basis; the November 2022 amendment expanded these. A private bank, fintech, or telecom that requires Aadhaar authentication outside this framework operates at the edge of the post-Puttaswamy II proportionality test and is vulnerable to a writ petition under Article 226.

The constitutional ceiling — Puttaswamy I, Puttaswamy II, and what is settled

The constitutional framework for Aadhaar is supplied by two Supreme Court rulings. Justice K S Puttaswamy (Retd) v Union of India, (2017) 10 SCC 1 — by a unanimous nine-judge Bench — recognised the right to privacy as a facet of Article 21 read with Articles 14 and 19, and laid down the three-fold proportionality test: legality (a law authorising the action), legitimate aim (a State interest of sufficient importance), and proportionality (a rational nexus, the absence of a less restrictive alternative, and a fair balance).

Justice K S Puttaswamy (Retd) v Union of India, (2019) 1 SCC 1 — the Aadhaar 5-Judge Bench — applied that test to the Aadhaar Act. The 4:1 majority (Sikri J authoring for himself, Khanwilkar and Bhushan JJ, with Bhushan J concurring separately, and Chandrachud J dissenting) upheld Sections 7 and 8 (subsidy authentication architecture); read down Section 33 to require a High Court Judge's order after hearing the holder; struck down Section 57 to the extent it permitted body corporates and individuals to demand Aadhaar authentication for the establishment of identity; held Section 47 (UIDAI as exclusive complainant) constitutional but observed that it does not bar victims from invoking the IT Act and the BNS [IPC]; and held the passage of the Aadhaar Act as a Money Bill under Article 110 valid. The Chandrachud J dissent — declaring the Act ultra vires on Money Bill grounds and on the deeper privacy-architecture infirmity — is the leading minority opinion and is the doctrinal anchor for academic challenges to the regime. The Money-Bill point has since been reopened in Rojer Mathew v South Indian Bank, (2020) 6 SCC 1, referred to a seven-judge Bench, which awaits resolution.

The Digital Personal Data Protection Act, 2023 (DPDP Act) — being progressively notified through 2024–2026 — supplies the next layer. Section 4 of the DPDP Act sets the consent foundation for processing of personal data; Section 5 prescribes the notice requirements; Section 8 imposes obligations on the data fiduciary; Section 10 introduces the higher-trust "Significant Data Fiduciary" category. UIDAI itself, as a data fiduciary processing identity information of every resident, will be a Significant Data Fiduciary under any reasonable threshold notified under Section 10. The DPDP architecture will operate alongside the Aadhaar Act's Section 29 sharing prohibitions and is likely to be the next ground on which the constitutional limits of Aadhaar use are litigated.

Refusals, errors and the grievance route

The four refusals that a resident encounters most often are these. Enrolment rejection at de-duplication — UIDAI's de-duplication engine flags the enrolment as a probable duplicate, and the resident's number is not generated. The route is to file a grievance at the UIDAI portal or the regional office citing the EID, request a manual review, and supply additional documentation. Update rejection — the demographic or biometric update is rejected, typically for inadequate documentary support or for repeated mismatch against the existing CIDR record. The route is to revisit the enrolment centre, attach a stronger documentary set, and lodge a fresh URN. Authentication failure — the resident's biometric authentication fails against the CIDR, locking her out of an Aadhaar-authenticated service. The route is, in the first instance, the alternative-authentication mechanism that the Section 7-implementing department is required to provide under the post-Puttaswamy II reading of the Act; in the longer term, a biometric refresh at an enrolment centre under Regulation 23. Aadhaar deactivation — UIDAI deactivates the Aadhaar number for non-compliance with the 5/15 refresh, suspected duplication, or a failed verification exercise. The route is a written request for reactivation at the regional office, supported by an explanation and fresh biometric authentication.

The grievance escalation runs through three tiers. First, the UIDAI Resident Grievance Redressal Mechanism — the 1947 toll-free helpline, the help@uidai.gov.in email channel, and the file-a-complaint module on the UIDAI portal. Second, the regional UIDAI office, on a written representation; the UIDAI Master Direction prescribes the response timelines. Third, the constitutional remedy — a writ petition to the High Court under Article 226 for mandamus, certiorari or a declaration. The constitutional remedy has been used most often to compel UIDAI to either issue, restore, or correct an Aadhaar number where the administrative grievance route has failed — the writ jurisdiction is unaffected by Section 47's restriction on cognizance of offences.

What to watch — the unresolved questions

Three doctrinal questions remain genuinely open. The Money Bill question — the seven-judge Bench reference in Rojer Mathew is still pending. A ruling against the Money Bill route taken in 2016 would unsettle the legislative-validity foundation of the Aadhaar Act and could compel re-enactment. The DPDP–Aadhaar interface — the manner in which the DPDP Act's consent and significant-data-fiduciary regime will overlay the Aadhaar Act's Section 29 sharing prohibitions has not been worked out either in the statute or in any Rules notified to date. The voluntary-authentication boundary — the November 2022 amendment to the Good Governance Rules, 2020 expanded the catalogue of voluntary authentication purposes; whether this expansion stays within the four corners of the post-Puttaswamy II reading of Section 4(3) and Section 57 is the next likely site of constitutional litigation.

The operating lesson for the resident is twofold. First, treat the Aadhaar number as identifying data rather than authentication data — share the masked Aadhaar or the VID wherever possible, and reserve the unmasked number for the Section 7 and Section 139AA settings where it is statutorily required. Second, keep the linked mobile number current and the documentary record fresh — the entire UIDAI architecture is hung off the OTP on the registered mobile, and a mobile lapse is the single most common cause of an authentication-loop that ends at a physical enrolment centre.