NPCI Discontinued Face Authentication for AePS: What You Need to Do Now

Posted:

13 May 2026

Vaibhav Maniyar

NPCI Discontinues AePS Face Authentication

India's rural banking network had gradually started relying on face authentication as a way to make AePS (Aadhaar Enabled Payment System) transactions simpler for customers who found fingerprint scanning inconvenient. That option is now restricted for the transactions that matter most.

The National Payments Corporation of India (NPCI) has discontinued face authentication for AePS cash withdrawals and Aadhaar Pay transactions. This decision comes in response to rising fraud cases where bad actors used photographs and pre-recorded videos to bypass facial recognition and impersonate account holders.

Here is what this change means for Business Correspondent (BC) agents, which services are impacted, and how to transition your setup to remain compliant.


Why Did NPCI Ban Face Authentication for Withdrawals?

It is worth being straightforward about why face authentication was popular in the first place: it required no physical contact and felt easy for both agents and customers. However, this same ease of use made it vulnerable to spoofing.

Fraudsters found they could present a printed photograph or a video clip of an account holder's face to bypass the biometric check and withdraw cash [1]. This type of fraud - known as a presentation attack - has grown increasingly sophisticated. According to Gartner research, presentation attacks against facial recognition systems in financial services rose by over 30% year-on-year, a trend that continued as the technology spread to rural banking points.

Because cash withdrawal and Aadhaar Pay transactions carry direct, immediate financial risks, NPCI opted for a targeted restriction rather than a complete ban across all AePS services.


Which AePS Services Are Affected (and Which Aren't)?

The restriction is focused strictly on transactions that expose customers to direct financial loss.

Discontinued Services:
Face authentication can no longer be used for Cash Withdrawals and Aadhaar Pay transactions.

Permitted Services:
According to current guidelines, face authentication remains available for lower-risk, non-financial inquiries, including Balance Enquiry, Mini Statement checks, and Cash Deposits.

Major platforms, including DigiPay Lite, Spice Money, and PayNearby, have disabled face authentication for cash withdrawals. The Aadhaar FaceRD application, which handles facial biometric capture, will return errors if an agent attempts a withdrawal request. If your agents are reporting unexplained transaction failures during withdrawals, this policy change is almost certainly the cause.


Upgrading to Secure, UIDAI-Certified L1 Biometric Devices

To continue offering cash withdrawals and Aadhaar Pay, agents must use a physical biometric scanner - either fingerprint or iris.

When choosing replacement hardware, it is critical to understand the current regulatory landscape. The Unique Identification Authority of India (UIDAI) is actively phasing out older L0 registered devices in favor of more secure L1 registered devices.

Why L1 matters:
Unlike L0 devices, L1 biometric scanners perform cryptographic signing directly on the hardware chip itself. This makes it impossible for fraudsters to intercept or tamper with the biometric data during transmission, offering a much higher level of security.

The standard choice:
To ensure long-term compliance and avoid transaction failures, agents should upgrade to L1-certified devices.

Mantra offers fully compliant, UIDAI-certified L1 devices designed for high-volume rural and semi-urban banking environment:

Mantra MFS110 L1:
A highly reliable, durable L1 fingerprint scanner equipped with advanced spoof detection.

Mantra MIS100 V2 L1:
A dual-eye L1 iris scanner designed for seamless, contactless authentication.


Why Iris Scanners Are the Best Alternative

Removing face authentication creates a genuine challenge for a specific segment of rural customers - particularly agricultural workers, manual laborers, and elderly individuals whose fingerprints are worn, dry, or degraded.

While fingerprint scanning can sometimes fail for these users, iris authentication offers a practical and highly reliable alternative:

Contactless & Hygienic:
Like face recognition, iris scanning does not require physical contact with a shared sensor surface.

Unaffected by Labor:
An iris scan is unaffected by dry skin, cuts, moisture, or manual wear.

Extremely Secure:
Iris patterns are highly complex and unique, making them incredibly difficult to spoof with photos or video clips.

For agents serving communities where fingerprint failures are common, deploying a device like the Mantra MIS100 V2 L1 iris scanner ensures you do not lose customers who find fingerprint scanning difficult.


Step-by-Step Guide to Transitioning Your Outlet

To avoid transaction failures in front of customers, agents should follow these steps to update their setups:

Verify Your Hardware:
Ensure you have a working, UIDAI-certified fingerprint or iris scanner. If you only have face RD setup, acquiring an L1-certified device is your immediate priority.

Update the RD Service Software:
Do not just plug in a new device. Download and install the latest Registered Device (RD) Service drivers from your manufacturer's website. If the RD Service layer is out of date, the transaction will fail even with a certified device connected.

Check NPCI Agent Mapping & KYC:
Ensure your NPCI KYC registration is active and that your service provider has mapped your new biometric hardware to your agent ID. Under updated Reserve Bank of India (RBI) guidelines, inactive or unmapped devices will trigger automatic transaction refusals.

Perform a Test Run:
Connect your updated device and run a simple Balance Enquiry first. Once the balance check succeeds, you can proceed with cash withdrawals and Aadhaar Pay transactions with confidence.


FAQs

No. The NPCI restriction covers AePS cash withdrawal and Aadhaar Pay transaction authentication specifically. UIDAI's eKYC verification, identity validation, and account-linking services continue under separate UIDAI guidelines and remain unaffected.

Yes. Iris authentication is a highly effective option for users whose fingerprints are worn due to manual labor, skin dryness, or age. UIDAI-certified iris scanners do not require physical contact, work independently of skin conditions, and provide high security against spoofing attacks.

A full re-registration is typically not required. However, when you connect a new physical biometric device, you may need to register or link the hardware through your corporate business correspondent (BC) or service provider portal to ensure proper NPCI mapping.

The RBI's updated security guidelines place a strong emphasis on liveness detection and robust fraud monitoring to secure the retail payment ecosystem. NPCI's decision to restrict face authentication for high-risk transactions directly aligns with these security measures, encouraging the use of secure, cryptographically signed L1 physical biometric hardware.

Comments

Leave A Reply

Captcha