“It’s important for the future of online services that government helps nurture a robust, trusted, secure and viable approach to identity assurance that can work right across our digital economy. So it’s worth making time right now to do an honest, open and public reset to get this right,” I wrote.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Since my Computer Weekly article appeared, rumours of just such a review of Gov.uk Verify have been flying around. If this is indeed happening, whoever is conducting it might find this online overview of UK identity initiatives since 1997 useful context.
There’s been a lot of work – and many lessons learned – in this space over the past two decades. It’s 20 years since the UK government first started work on online identity assurance, 16 years since the launch of the Government Gateway, and now six years since the Verify programme started (originally as the Identity Assurance Programme, or IDAP). According to a National Audit Office report earlier this year, Verify has only 12 services using it, compared to 138 for Government Gateway.
There are currently multiple approaches to identity in the public and private sectors. This may be a more sensible approach than trying to impose a “one-size-fits-all” solution. After all, there are good potential security and privacy reasons for large organisations such as the NHS to run their own trusted identity services separate from those used in another organisation, rather than everyone being on the same physical system.
If the various identity systems are all designed to support the same regulatory and technical standards, a user would still be able to choose to use the same credential between services run by different operators. This has been the government vision since the late 1990s – enabling a user to choose if they wish to use their same online identity across both public and private sector organisations – for convenience – or to use different identities in different contexts, for security and privacy.
Notable among these current identity initiatives are of course the Gov.uk Verify system being built by the Government Digital Service (GDS), the existing Government Gateway platforms used across the public sector and being further enhanced by HM Revenue & Customs (HMRC), other local user ID and password approaches in central government, various patient access systems within the NHS, and the multitude of approaches by local authorities and others.
Outside of government, there are also a wide variety of identity initiatives and innovative identity startups in the private sector aiming to improve the ease with which users can prove who they are when they are online.
Subject to meeting agreed standards, these players all have an essential role to play in making sure the UK implements an effective solution to online identity – one that helps the UK to thrive, economically and socially; provides citizens with choice, security and privacy; and encourages rather than stifles innovation.
What’s the problem?
One question the rumoured review will need to answer is why the Verify hub has taken so many years to produce only a subset of the system it was originally intended to replace – that of the Government Gateway. When Francis Maude, then the Cabinet Office minister, addressed Parliament on identity assurance in May 2011 he said: “Our intention is to create a market of accredited identity assurance services delivered by a range of private sector and mutualised suppliers.”
He continued: “A key improvement will be that people will be able to use the service of their choice to prove identity when accessing any public service. Identity assurance services will focus on the key imperative to ensure privacy. My department is leading the project to develop the design and the creation of the market within the private sector. By October 2011 we expect to have the first prototype of the identity assurance model to test with transactional departments and public sector identity assurance services, with a date for implementation from August 2012.”
This seemed a reasonable timetable – an earlier cross-government identity initiative and its related central hub, the aforementioned Government Gateway, went from a standing start in late 2000 to a live service in just three months, including the use of external identity providers. With all the many lessons learned in this space over the years the government was in an ideal position in 2011 to make a quick success of this latest initiative.
Exploit existing relationships
The original intention of Verify was to let users exploit existing trusted relationships with organisations of their own choosing – such as their bank or mobile phone provider – to provide proof of their identity. This never happened.
Instead, the Verify programme created a new marketplace of “identity providers” – organisations which have no existing relationship with a user. Anyone who requires a Verify-certified credential must prove who they are to one of these organisations to access online public services requiring authentication.
Even for those who successfully complete this process, they will still need to also prove who they are to the satisfaction of government service providers before being given access to any personal records or data. This is a long way away from the original vision and far from being a great user experience.
The Gov.uk Verify central hub built in-house by government over the past six years appears to support only a subset of user and technical functionality of the system it was intended to replace. For example, it only supports citizens – not businesses or third-parties accessing services on behalf of others, such as accountants.
This compares unfavourably with the Government Gateway (as HMRC and others have pointed out), which supports all users – citizens, businesses and those acting on behalf of others – and a wider range of technical functionality, such as authenticating and handling data submitted via government interfaces (APIs).
Both Verify and the Government Gateway are otherwise broadly similar in terms of providing a centralised brokered identity hub that sits between the outside world and online government services, and in complying with open technical standards such as SAML.
The Verify hub is struggling to gain adoption
According to GDS’s own performance figures, the Verify hub continues to struggle. Only 38% of users are successfully able to access a service when they create or use a Verify account. The system claims a high level of identity assurance. But the current widespread sharing and availability of personal data, combined with plans to further increase the amount of such personal data being widely shared across the public sector, creates a risk – because the current approach only verifies that the citizen applying online has sufficient data about a person who does exist, to be able complete the process. It does not necessarily prove that the user entering that personal data is the same person as the citizen they claim to be.
This is something the Law Commission recently highlighted in its consultation on making a will: “Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists,” it said.
In any case, once an approved account is set up, potentially a citizen can let someone else use that account. Subsequent online interactions may not be with the citizen an organisation believes it is dealing with. All of which rather negates the initial, complex, “proof of identity” process.
It is also often difficult to link a proven identity to a specific user’s data in a government department. This is in part why the Government Gateway adopted a different approach. It broke the process down into several complementary parts.
The first let a user create or obtain a re-usable credential – such as a user ID and password, digital certificate, or chip-and-PIN card. A second process then helped establish the proof required by a service operator, such as HMRC or the Department for Work and Pensions, that the person with the credential was the same person as the records or data they were trying to access. Once both were successfully completed, the user concerned could be successfully enrolled in the relevant service.
The Law Commission’s observations appear problematic for the viability of the Gov.uk Verify hub, and online identity proofing in general. The approach being adopted appears not only to fail to establish sufficient proof of identity to satisfy legal experts for the minority of users who manage to enrol successfully, but it also doesn’t address the second problem of matching a user to specific data in a service organisation.
More fundamentally, the Law Commission’s concerns identify a more systemic problem with the whole assumption behind the existing process of identification – something the current rumoured review must address and resolve.
Face up to facts – and re-focus on open standards and delivery
Work on the Verify identity assurance framework – to establish common standards around identity assurance across sectors – makes sense. So does ongoing work on BSI PAS 499 – the British Standards Institution’s digital identification and authentication code of practice – and eIDAS (electronic identification, authentication and trust services), the EU regulation setting out standards for electronic transactions in the European single market.
Less convincing is the protracted in-house development work on building another central government hub similar to the Government Gateway. Implementation of the identity assurance framework need not have followed the same route as the previous design from 2000. There have always been security and privacy concerns raised about the role of a central hub – various vulnerabilities have been pointed out with brokered identity systems such as Gov.uk Verify.
Provided everyone complies with the same standards, a more distributed model might help provide the benefits of a consistent approach to identity assurance while avoiding the security and privacy problems of a single central hub. It would also potentially expedite delivery – given the potential for organisations to consume compliant systems and services from the cloud, and from the use of the growing variety of app-based approaches now available.
In such a scenario, for example, HMRC’s updated Government Gateway hub could become just another node in a trusted identity assurance model alongside the Verify hub and others. This would also enable the Verify programme to very quickly claim it had delivered its ambitious 25 million user target ahead of 2020 given the number of existing users on the Government Gateway.
There are multiple implementation options available, including from the cloud and app developers, that place government in an ideal position to implement something that works quickly and successfully rather than to assume it has to build such systems in-house from scratch, as some Wardley mapping would make clear. However, this was just as true back in 2011 when Maude made his announcement.
What we should expect from the rumoured review
If a review is taking place, its focus should be on learning both what went wrong given the government’s lengthy experience in this space, and the environment that was already in place – and what needs to be fixed.
A failure to map the landscape, and apply situational awareness – to undertake a thorough discovery process worthy of the name – when the Verify programme originally kicked-off, seems to have been its Achilles heel. Much time has been lost repeating the experiences and learnings of the past, and failing to use what was already available to expedite delivery.
The UK’s increasingly digital economy and the growth of cybercrime requires online identity to work far better and more reliably than it does right now, particularly for public services. Any review of the current state of the Gov.uk Verify identity assurance framework and associated central hub has an essential role to play, as will be clear when it is published – assuming the longstanding GDS principle of “make things open: it makes things better” is still being observed.
It will be interesting to see the extent of the report’s mapping and understanding of the current landscape, its insight and analysis of implementation options available, and the rationale for its specific recommendations on what needs to happen next, when, at what costs and with what benefits.
A thorough and honest open review is just what’s needed. Making its detailed findings and analysis public is an essential first step in helping rebuild confidence and consensus behind a reset approach. A report that identifies and recommends solutions to the longstanding problems with the current Verify programme will help accelerate adoption and progress of a better, more successful solution – one that works better for everyone.