The government's Identity Assurance programme has finally announced its eighth candidate Identity Provider, in the form of PayPal; the announcement had been delayed pending the completion of PayPal's contract negotiations. This completes the ecosystem of potential providers who may develop certified identity systems for use within the Department for Work & Pensions' first tranche of providers who will support the early deliveries of Universal Credit. Other government departments - most notably HMRC - are likely to use this same framework for their early implementations.
Over the next few weeks I'll try, as best I can, to clarify some of the uncertainties and to dispel some of the emerging myths about what Identity Assurance really is. There will inevitably be some threads at the end of which, if we pull hard enough, we'll find a non-disclosure agreement which prevents too much detail, but that shouldn't hinder a discussion about the key points. Throughout this dialogue it is essential to bear in mind that we are discussing an emerging, immature market: this is the start of delivery, not the finished product. There are still many unknowns. DWP is not procuring a big Systems Integration deal in the expectation of a polished system being delivered (when did that ever happen?) later this year, but is instead defining the parameters for a new market within which the providers will compete for identity business.
I'll open by answering a question that was posted here a few months back, namely:
"What are the plans for federation of IdP accounts? Will individuals be able to use their credentials across more public sector services, such as provided by a local authority?"
Identity Assurance is a federated approach to identity services. DWP have already awarded contracts to build their federation hub which will be used to provide interoperation of Identity Providers (IdPs) with DWP. Once in place, any IdP account which is certified to provide the required trust level will be able to provide access to DWP services. When the first services appear in support of the October 2013 pilots, we will have a 'hub and spoke' environment in which the IdPs are connected through the hub; not true federation but the critical first step for interoperability.
True federation of accounts will appear when we have:
- multiple hubs: as other authorities come to market, it seems probable that they will require their own hubs. HMRC, for example, has extreme seasonal traffic peaks in January, and it would seem perverse that DWP should provide that level of scalability through a single hub. Furthermore, HMRC is likely to require services not supported in the first instance of the hub, for example delegated authority whereby a business' responsible officer (a real person) can operate on behalf of the business (a legal persona), and delegate trust to the business' employees (e.g. the accounts department) and their agents (e.g. accountants, lawyers). DWP has quite rightly omitted these from the first delivery of their hub in order to reduce the complexity and associated delivery risk.
- interoperability between IdPs: as soon as IdPs come to market, they will be providing online Identity Assurance services to their customers. Those customers will need to be able to authenticate to the IdP, both as part of an Identity Assurance authentication, and in order to manage their own IdP accounts; the IdPs are therefore 'consuming' their own Identity Assurance credentials. As the commercial market for IdPs develops, it is likely that one of the IdPs will make a competitive move by offering to consume other IdPs' credentials (so long as the hub will support that mode of operation); in other words, a customer might be able to obtain services from, for example, PayPal using an Experian credential. Once one IdP does this, the others are likely to follow suit.
Making this happen will require the technical and commercial interoperability, coupled with an appropriate government framework (as being prepared by the IdPs through the Open Identity Exchange).
In response to that second question, Cabinet Office will not only expect individuals to be able to use their credentials across other public sector services, but in the case of central government they are mandating Identity Assurance as the standard for any such proof of ID or attributes. They have no power to mandate it for local authorities, but are preparing 'directed funding' to encourage innovation by industry, local authorities and other bodies to ensure that this happens. There are plenty of local authorities already delivering identity-related services which align with Identity Assurance (with the key differentiator that the authority is the IdP), and it would seem reasonable to expect that over time these will migrate into the ecosystem.
And when does all this happen? We would expect to see the first pilots in October this year, with more widespread use kicking off in April 2014. This is the beginning of the journey, not the end state, and there are plenty of questions which nobody has fully answered yet; I'll be addressing more of those in the near future.