Electronic Authentication (or “e-Authentication”) is the process of electronic verification of the identity of an entity. The entity may be a person using a computer/mobile, a computer/mobile itself or a computer/mobile program. Authentication is a way to ensure that the user who attempts to perform functions in a system is in fact the user who is authorized to do so.
Authorisation is the process of verifying that a known person has the permissions and rights to perform a certain operation in an application. Authentication, therefore, must precede authorisation.
An effective access management system incorporates one or more methods of authentication to verify the identity of the user, including passwords, digital certificates, hardware or software tokens, and biometrics. Authorisation governs what a user can access or do within an application.
Due to isolated project implementations of individual e-governance initiatives of various ministries/departments, the present authentication mechanisms are inadequate and disparate across various applications. As a result, there is not only a lack of uniformity in the authentication methods of various departments, but citizens also have to provide different kinds of identity proofs for accessing public services which are fairly similar in many cases in terms of their sensitivity.
Hence, this document, conceptualized by Department of Electronics and Information Technology (DeitY), Government of India, serves as the guiding document for all central and state ministries, departments and government agencies for implementing an appropriate authentication model for online and mobile based delivery of their services.
e-Pramaan provides a guiding framework that enables various government departments and agencies to address the access management, authorization requirements, and authentication mechanism associated with the deployment of e-governance applications and services.
For details, please refer Section 3 of the document ‘e-Pramaan: Framework for e-Authentication’.
There may be three kinds of authentication mechanisms:
1. Single Factor Authentication: An authentication mechanism that utilizes only one of the various factors (for example, a user using username and password for accessing an application).
2. Two Factor Authentication: An authentication mechanism where a combination of two factors is used (e.g., a user using username and password as first factor and One Time Password (OTP) as the second factor).
3. Multi-factor Authentication: An authentication mechanism where two or more factors are used with one of the factors necessarily being the “Third Factor – ‘Be’” which is something the user is (e.g., a user providing her Aadhaar number (first factor – “Knowledge”) and her biometrics (third factor – “Be”) to authenticate herself).
The e-Pramaan Framework for e-Authentication lays down the following main policy measures:
1. Uniform electronic authentication mechanisms and processes shall be established to ensure electronic authentication of online and mobile users to facilitate access to and delivery of public services. The electronic authentication mechanisms shall incorporate Aadhaar based authentication.
2. All government departments and agencies shall deploy e-Authentication processes as part of their service delivery strategy.
3. All government Web sites shall be electronically authenticated in order to build trust among the users.
The following are the key components of e-Pramaan Framework:
i. Identity Management;
iv. Credential Registration;
v. Permission Assignment;
vii. Single Sign-on
Sensitivity levels are used to describe the level of assurance of identity of users required for an application and the resultant level of robustness of the required solution. Table 1 describes the various sensitivity levels for assurance of identity.
Levels of Authentication Assurance
Level 0 No assurance of identity
Level 1 Minimal level of assurance of identity
Level 2 Moderate level of assurance of identity
Level 3 Strong level of assurance of identity
Level 4 Very Strong level of assurance of identity
For details, please refer Section 7.2 of the document ‘‘e-Pramaan: Framework for e-Authentication’.
A “Fraud Management” layer will provide real-time protection against identity theft and online fraud. This layer will evaluate the fraud potential of online/mobile access attempts and assess the risk based on a broad set of variables. The “Fraud Management” layer will perform this task transparently without inconveniencing the legitimate users.
For details, please refer Section 7.3.3 of the document ‘‘e-Pramaan: Framework for e-Authentication’.
E-Pramaan Gateway shall leverage the middleware messaging infrastructure of NSDG ( National e-Governance Service Delivery Gateway) , SSDG(State e-Governance Service Delivery gateway) and MSDG ( Mobile Service Delivery Gateway) to provide a convenient and secure way for the users to access government services via internet/mobile as well as for the government departments and agencies to assess the authenticity of the users. The e-Pramaan Gateway shall be integrated with NSDG, SSDG and MSDG and shall act as a standard e-authentication mechanism between service access providers and the corresponding messaging middleware (NSDG, SSDG or MSDG). In order to leverage the NSDG, SSDG and MSDG infrastructure, the e-Pramaan Gateway will establish a centralized identity directory. E-Pramaan Gateway may incorporate new technologies, processes and authentication mechanisms in future.
The Government of India reserves the right to review and revise the e-Pramaan Framework as and when necessary. Queries or comments related to the e-Pramaan Framework may be sent to the
Additional Secretary (e-Governance) or Joint Secretary (e-Governance), DeitY, Electronics Niketan, 6 CGO Complex, Lodhi Road, New Delhi – 110003.
They can also be sent through e-mail to asegov[at]mit[dot]gov[dot]in, jsegov[at]mit[dot]gov[dot]in or neaf[at]negp[dot]gov[dot] in.