Could Identity Assurance be the missing ingredient for digital inclusion?

| 3 Comments
| More

The government's plans to tackle digital exclusion - the significant user population that cannot or will not use online services - are essential if we are to achieve 'Digital by Default' targets for service delivery, which in turn form a cornerstone of key reforms such as Universal Credit. Is it possible that the Identity Assurance programme is a means to provide user confidence in access to shared online service that will encourage large new groups of users to venture online? This might be the case, but only if all the key stakeholders engage with marginalised users as they first register for services, and public authorities ensure that services are redesigned to incorporate Identity Assurance across delivery channels, rather than bolting it on as an afterthought.

Getting online, staying online

Digital inclusion is not just about handing out PCs and broadband connections. Whilst numerous capabilities need to come together for an individual to be considered 'digitally included,' three of the critical factors include:

  • Connectivity: the user needs to have access to an endpoint device and internet connectivity to online services;
  • Capability: the user requires the skills to be able to get online and use online services;
  • Confidence: the user needs the confidence to transact online without fear of loss or penalty should they be unable to complete the transaction.

Perhaps the key first step for digital inclusion is persuading marginalised users to ‘give it a go’ – to attempt to use online services for the first time. This may involve obtaining or sharing access through endpoint devices and/or networks (e.g. local libraries, UK Online Centres); building their skills through trial and failure, and being able to fall back on community-based support when required; and having the confidence that if something goes wrong, they will not suffer financial or other losses as a consequence.

Digital by Default

Universal Credit and similar programmes will only succeed if the bulk of interactions with users take place online: the need to drive down costs while improving service means that customers must use online channels in place of face-to-face or telephony. Online engagement is essential, but Digital by Default cannot succeed unless government has a way to trust people online, without going through the expense of registering each user in a face-to-face interview, and managing their credentials thereafter.

Identity Assurance

The Government Digital Service (GDS) has devised a fresh approach to building online trust: the Identity Assurance (IDA) programme. The aim is to allow users to prove their identity, or other information about themselves, using services from private-sector organisations. In the IDA model, individuals and businesses will be able to ‘reuse’ existing trust relationships to interact with government (and ultimately with each other): for example, a customer might use their online banking credentials to prove their entitlement to a public authority so that they can claim benefits. GDS is working with key authorities to deliver the necessary technical, commercial and regulatory infrastructure to make this new approach possible.

GDS is also developing a market of companies wishing to act as Identity Providers (IDPs), who will have to bid for the right to do so, and undergo rigorous independent certification to ensure that their security and commercial controls are appropriate. Eight Identity Providers have been selected to provide the first set of IDA services in support of pilot activities from October 2013. Those IDPs are working together under the aegis of the Open Identity Exchange (OIX) to deliver the technology, commercial and legal approaches needed to make the service a reality.

Will Identity Assurance support digital inclusion?

Identity Assurance could create an environment that goes a long way towards addressing the needs for connectivity, capability and confidence that would drive digital inclusion for a substantial population of currently marginalized users.

Connectivity

Digital inclusion is about more than just providing digitally marginalised users with access to network connections and endpoint devices: inclusion is increasingly about ‘ambient’ access to online services, available through multiple channels and devices. Truly inclusive connectivity requires trusted access to shared services: users need to be able to share devices and connections without fear of identity-related fraud or security breaches.

IDA could provide the necessary trust mechanism to encourage users to share services. If users have a channel-agnostic authentication token, such as one-time PINs provided by SMS to their phone, coupled with a suitable trust framework to assure them that they will be protected in the event of a problem (in much the same way that credit card customers are protected against fraud by the brand network, e.g. Visa or Mastercard), then they will be empowered to use whatever device or network access they choose, without fear of identity fraud or security breaches.

Capability

A key requirement for IDA is the ability for users to prove their identity and transact with government across multiple delivery channels (online, telephony, face-to-face), but if the service is to be inclusive then individual transactions must be accessible across multiple channels as well: rather than users being pigeonholed as ‘online’ or ‘face-to-face’, they should be able to switch channels as and when they choose. For example, a user might start a transaction online, then seek telephone support when they need it, and be returned to an online channel once their problem is resolved.

Making this happen will require action both from the IDPs, who should be encouraged to deliver multi-channel services, and public authorities who need to design their services such that seamless channel changes are supported, rather than having transactions ‘break’ when users need to move between channels. Effective channel shift will only happen when marginalised users can change channels freely as and when they choose.

Confidence

The diverse and incompatible authentication services used across public services are, for some users, confusing and difficult to use, and are likely to be a contributing factor to their reluctance to use online services. The move to a ‘unified’ IDA solution, where users can select the IDP and credential of their choosing, provides a much more user-centric approach.

Furthermore, the IDA architecture supports the concept of ‘delegated authority’ – the ability for users to delegate trust to other users when required; and to act on behalf of other users when authorized to do so. Appropriate security controls and audit trails ensure that systems can differentiate between the actions of the user and their delegated proxy, and thus the user is protected if the proxy contravenes their instructions. The approach is essential for business identity, where employees and agents (such as accountants) act on behalf of the business.

Implemented correctly, the delegated authority approach could also be an invaluable digital inclusion tool: users could have the ability to delegate trust to the individual, service or organization of their choosing when they require help with a transaction. For example, a user could ask a family member, a voluntary group or a UK Online Centre to assist or act on their behalf, without having to give away their credentials to do so; the user chooses whose hand to hold when they need support, safe in the knowledge that if anything goes wrong, they are protected from fraud or errors committed by their proxy..

Using Identity Assurance to deliver digital inclusion

If IDA is to become a catalyst for digital inclusion, then its implementation must be treated as a strategic change in delivery, rather than just an enhancement to existing authentication mechanisms. Authorities need to re-think delivery workflows to split interactions into smaller transactions which users can control across different sessions, channels, or providers, so that services don’t ‘break’ if the user suspends the session, or changes the delivery channel, IDP, or delegated authority.

Next Steps

GDS, the IDPs and the potential Service Providers (public authorities) need to come together to support the evolution of commercial models which incentivise the nascent IDP market to design services with the needs of marginalised users in mind, and actively engage with and support marginalised users as they register for services. They also need to work together to educate users that they should try to access services online, and ensure that the necessary support mechanisms are in place to help them when they do so.

3 Comments

  • Interesting post Toby, as ever, though needs to be clear that proving identity online for services will not affect 'entitlement' to benefits etc. This would only happen at the relying party once identity has been established and subsequent entitlement criteria met.

  • Thoughtful as always but what about the lack of trust in government issued credentials and the long-standing reluctance of central government to make joined-up use of those channels, like Sub-Post Offices, which used to be trusted by most of populations.

    A couple of weeks ago I attached a draft Map of the current UK ID scene to my attack on data breach notification http://www.computerweekly.com/blogs/when-it-meets-politics/2013/03/the-most-common-method-of-stea.html

    I have also asked what happened to Fighting Identity Crime Together Programme http://www.computerweekly.com/blogs/when-it-meets-politics/2013/03/the-most-common-method-of-stea.html

    I no longer believe HMG is willing, able or competant, to provide leadership wiht regard to digital identities. It unfashionable to say nice things about James Crosby, whose failing were partly because he was not a banker. A former actuary he was, however, correct in his underlying analysis of the Identity market - before it was watered down by officials. It is best left to market forces (i.e. those who will pay) with government departments recognising those IDs issued by reputable players.

  • I agree with Philip.

    To adapt Crosby's marvellous Mandarin-like way of putting it: "quite legitimately, the Government may not regard its Identity Assurance Programme as the best way to stimulate the creation of the universal ID assurance system sought for the UK".

    What do they do all day round at GDS Towers?

    The Nordic countries have used bank IDs as credentials for public services for 10 years now. It's clearly possible. It was discussed at length at the 20 September 2010 meeting between government and suppliers. And yet no progress has been made in the UK.

    Most public services are administered by local government. That matter was debated at the 20 April 2011 follow-up meeting. And yet working with local government is (implicitly) still described in Toby's post under "Next steps".

    His post is full of questions which should have been answered years ago. They haven't been. And at this rate, they're not going to be.

    The promise was made that IDAP would be fully operational by March 2013, the deadline has been missed and now DWP are having to proceed on the basis of face-to-face meetings, telephone calls and letters – the very opposite of digital-by-default.

    That definitive failure is not even mentioned in GDS's weekly diary. Neither is the early day motion now signed by 52 MPs who are concerned about digital-by-default.

    Apart from hoping for the best, what do GDS do all day? Why? And how about stopping, now, because they're clearly not getting anywhere.

    The same hopeless ineffectual impotence befell the Identity & Passport Service who, with their predecessors, managed to spend eight years not deploying government ID cards in the UK. Ian Watmore, the vicar's husband, recommends failing early and failing cheaply. It's been 2½ years since the BankID meeting. Surrendering now would be early compared with IPS's eight years.

    Go on, GDS. Do it for the vicar's husband. The longer you leave it, the harder it will be.

    And the sooner you do it the sooner we might get a private sector identity assurance system that works and which local and central government can subscribe to like any other customer.

  • Leave a comment

    Disclaimer

    The views expressed in this blog are my own, and do not necessarily reflect those of any client or other organisation.

    Subscribe to blog feed

    Archives

    Categories

    Toby on Twitter

      Recent Comments

      William on Does minimal disclosure p... : I've loved Stefan Brands' work form the moment I r...

       

      -- Advertisement --