Identity Verification in India: Aadhaar, DigiLocker, and the DPDP Act (2026)
How identity verification works in India in 2026: Aadhaar e-KYC, offline verification, video KYC, RBI's Master Direction, CKYC, and the DPDP Act's impact.
India runs the largest digital identity system on Earth, and one of the most layered verification rulebooks anywhere. More than 1.3 billion people hold an Aadhaar number, the biometric identity issued by UIDAI, and the rails built on top of it, e-KYC, offline verification, DigiLocker, and video KYC, have made instant onboarding ordinary.
The complication is legal: who may use which rail, under whose license, with what consent, is tightly controlled, and the Digital Personal Data Protection Act adds a privacy layer that changes how verification data must be handled. Here is the 2026 map.
The rails: five ways to verify identity in India
Aadhaar e-KYC. OTP or biometric authentication directly against [UIDAI](https://uidai.gov.in/), returning government-verified demographics instantly. The catch: online e-KYC is restricted to entities authorized under the Aadhaar Act and RBI/PMLA framework, primarily banks, telecoms, and licensed financial institutions.
Offline Aadhaar. The paperless XML or QR route, where the user shares a digitally signed, tamper-evident extract without the verifier touching UIDAI systems. Broadly usable with consent, and the workhorse for fintechs without e-KYC authorization.
DigiLocker. The government document wallet holding digitally issued PAN, driving licence, and Aadhaar artifacts, sharable with verifier consent flows.
Video KYC (V-CIP). RBI's video-based customer identification process, permitting fully remote onboarding for regulated entities with liveness, geotagging, and trained-agent requirements.
Document plus biometric verification. Classic ID capture with face match and liveness, the universal rail for passports, PAN, and licences, and the only rail that travels across all customer types including non-residents.
The deepidv verification engine treats India as a multi-rail market: offline Aadhaar artifact validation, document and biometric verification with deepfake defense from the deepeye engine, and screening through Arbiter (/arbiter), all returning one evidence format.
The rulebook: RBI, PMLA, and CKYC
The RBI's KYC Master Direction implements the Prevention of Money Laundering Act for banks and NBFCs, prescribing officially valid documents, periodic re-KYC, and risk-based monitoring. Records flow into CKYC, the central registry that lets institutions fetch an existing KYC identifier instead of re-collecting documents. SEBI and IRDAI mirror these requirements for securities and insurance. The practical consequence: verification in India is not one event but a lifecycle, with re-verification cycles that catch many global platforms unprepared.
What the DPDP Act changes
The Digital Personal Data Protection Act, with its implementing rules now in force, applies squarely to verification data: lawful processing requires notice and consent or a defined legitimate use, data principals hold rights to access and erasure, and significant data fiduciaries carry audit and impact-assessment duties. For verification programs, the design implications are concrete: collect the minimum, retain against a defined schedule rather than forever, and be able to evidence exactly what was verified without hoarding raw documents. Cryptographic receipts that prove a verification occurred without exposing the underlying data, the model behind proof.deepidv.com, align naturally with that direction.
Fraud pressure: why liveness is not optional
India's fraud profile in 2026 is biometric-forward: synthetic documents, replayed selfies, and increasingly deepfaked video aimed at V-CIP flows. RBI has pushed institutions toward stronger liveness and multi-factor assurance. Any India stack evaluated this year should answer the injection-attack question, not just the document-authenticity one.
India Identity Verification FAQ
- Can private companies use Aadhaar for KYC?
- Online Aadhaar e-KYC is limited to entities authorized under the Aadhaar Act and banking framework. Most private businesses use offline Aadhaar (XML/QR) with user consent, DigiLocker documents, or document-plus-biometric verification instead.
- What is offline Aadhaar verification?
- A consent-based method where the user downloads a digitally signed XML or QR extract of their Aadhaar data and shares it with a verifier, who validates UIDAI's signature without accessing UIDAI systems.
- Is video KYC legal in India?
- Yes. RBI's V-CIP framework permits fully remote video onboarding for regulated entities, with requirements including liveness checks, geotagging within India, and trained officials conducting the session.
- How does the DPDP Act affect KYC?
- Verification data is personal data under the DPDP Act: firms need lawful grounds, must honor access and erasure rights, and should minimize collection and retention. Evidence-preserving designs that avoid hoarding raw documents reduce exposure.
- What documents are valid for KYC in India?
- Officially valid documents include Aadhaar, passport, PAN (for financial relationships), driving licence, and voter ID, with the applicable set defined by the RBI KYC Master Direction and sector rules.
Relevant Articles
KYC in Singapore: The Complete MAS Compliance Guide for 2026
What MAS requires in 2026: AML/CFT notices, Singpass and MyInfo onboarding, and corporate KYB via ACRA.
Jun 11, 2026
KYC Across Southeast Asia: Philippines, Indonesia, Vietnam, and Thailand (2026)
Four regulators, four national identity systems, and the verification architecture that survives all of them.
Jun 11, 2026
What is deepidv?
Not everyone loves compliance — but we do. deepidv is the AI-native verification engine and agentic compliance suite built from scratch. No third-party APIs, no legacy stack. We verify users across 211+ countries in under 150 milliseconds, catch deepfakes that liveness checks miss, and let honest users through while keeping bad actors out.
Learn More