Meet the Identity and Attributes Exchange – GDS’s future for digital identity after Verify

As the Government Digital Service (GDS) prepares for the winding down of its Verify service, its future plans for digital identity are becoming a little clearer.

In recent weeks, GDS has been communicating with private sector identity providers as it prepares to launch the Identity and Attributes Exchange (IAX), which is intended to be the way that ID companies can finally gain access to the public sector market.

It would also appear, according to some sources, that GDS is taking advantage of the Department for Culture, Media and Sport (DCMS) being distracted by the coronavirus crisis to push IAX as the industry standard for interoperable digital identities that can be used across the public and private sectors.

So what is IAX, and how – if GDS’s plans come to fruition – could it help to develop the digital identity market in the UK?

Let’s recap: Verify was given an effective death sentence by HM Treasury last month, after funding was approved for a further 18 months on the condition that no further services adopt Verify, and that all existing services have an alternative system they can use by the time the cash runs out.

Verify’s funding was meant to end in April, but the surge in Universal Credit applications after lockdown made the Department for Work and Pensions (DWP) suddenly more reliant on Verify than expected. DWP is already well advanced in its plans to reduce and, most likely, eventually eliminate Verify from its services. It’s somewhat ironic that DWP finds itself having to help fund Verify as it limps on.

Meanwhile, the Whitehall politics between GDS and DCMS has continued. DCMS is meant to own policy in digital identity and take lead responsibility for the wider digital identity market. GDS owns the use of digital identity within central government.

The differences were meant to be reconciled by the formation of a joint Digital Identity Unit, but its full operation has been delayed by pandemic priorities.

Verify’s future is not yet entirely confirmed – some sources suggest that influential figures in Number 10 (yes, him) see potential in Verify, or something very similar, as a login method for that would allow greater personalisation of digital government services. Or, as some would see it, the ability to track users as they move around the website.

But officially, departments expect Verify to wither, and for GDS to offer an alternative. That alternative is IAX.

What is IAX?

According to documents sent to the private sector, and seen by Computer Weekly, IAX is not a product, like Verify or HM Revenue & Customs’ Government Gateway system. It’s a scheme that aims to establish a trust mark for digital identity products.

Organisations will become members of IAX and will be certified by an independent auditor. Only IAX members will be allowed to sell digital identity services to the UK government.

Certification depends on adherence to a set of government-approved standards, which appear to be based on the same GPG44 and GPG45 standards upon which Verify was built.

Eagle-eyed readers will observe that on day one of IAX, this makes Verify the only product capable of conforming to the standards.

GDS’s pitch to eID companies is that the IAX trust mark will prove that products can be used safely and therefore will be more attractive to potential users.

Ultimately, GDS hopes, IAX will lead to the creation of a digital identity ecosystem whereby any certified products can be used across the private and public sectors, with online services accepting any identities for logging in to systems as long as they are IAX-approved. Those with long memories will recall that this was also the ambition for Verify, almost exactly word for word.

It’s a bit like using your Facebook or Google accounts to log in to other services across the web – but with much higher degrees of privacy and trust (in theory).

It’s a sensible principle, and arguably where GDS should have been five years ago. Many private sector providers remain frustrated and angry by what they see as the time and money lost while GDS continued to push Verify as the future of digital identity in the UK.

IAX roles

IAX-certified organisations can fulfil any of four defined roles:

  • Buyer – such as a government department that wants to allow approved digital identities to log in to its services.
  • Identity provider – companies that create verified digital identities for users, which can then be used to log in to online services.
  • Attribute provider – organisations that collect information about users that can be used to verify their identity. The Passport Office or DVLA are examples, which could offer access to passport or driving licence data.
  • Broker -a company that connects users, digital identity providers and attribute providers. Brokers will allow a buyer to access multiple identity or attribute providers.

If all that sounds a bit complicated, that’s because it is – nobody said digital identity was easy. Well, except a bunch of frustrated digital identity providers who just want to get on with it, but GDS is at last reaching out to them in a way it hasn’t done for Verify. GDS is currently inviting feedback on its IAX proposals.

One important component of IAX is still missing – the commercial framework that lays out how this will all work legally and how much it costs to take part. Being certified and gaining a trust mark will cost money. As a result, some private sector players fear IAX is about trying to protect Verify – they were promised a commercial framework for Verify on many occasions over several years, and it never appeared.

The difficulty for GDS is that, in the absence of a workable government solution, the industry has moved on. In particular, the financial services sector is working together on digital identity in a far more collaborative way than it used to.

Digital identity in financial services

Regulations in areas such as open banking, anti-money laundering (AML) and “know your customer” (KYC) have provided incentives to standardise approaches. Historically, banks adopted proprietary approaches to customer onboarding, each believing theirs was better than their rivals. Now, they are moving towards standardisation, through bodies such as the UK Joint Money Laundering Steering group (JMLSG), which this week updated its guidance for the financial sector to allow the use of digital identities created by third-party providers for opening accounts and passing AML and KYC checks.

The big question here is, what accreditation will finance firms expect from an approved digital identity? Clearly, GDS hopes this will be IAX.

In the documentation sent to eID companies, GDS points out that being an IAX member could make it easier to join other ID schemes created for other industries, such as financial services. Hint, hint. “In some cases it can even mean you will not need to go through another full certification process,” said one document.

Can GDS convince the banks that IAX will work in this way? The lack of initial support for Verify from all the banks but Barclays was one of the very early red flags that should have caused a rethink, but didn’t.

Here’s the next issue for GDS. According to OIX, the identity standards group that GDS co-funds, “ Verify is the only digital identity scheme that has adopted GPG45 to date”.

Sources suggest that banks don’t much like GPG45 as the basis for a digital identity standard. It’s an old standard, dating back to the late 1990s, and isn’t great when it comes to adopting new technologies such as smartphones reading e-passport chips, which is an increasingly common feature in popular eID apps.

In May 2019, OIX published a detailed 53-page report, with input from government and the private sector, exploring the issues around interoperability between GPG45 and the JMLSG guidance that was, mostly, inconclusive. It found that “limited interoperability may be possible now,” but “further challenges still exist”.

The report concluded that, “It is clear from the analysis that relatively little needs to happen in order for GPG45 to be interoperable, at least in principle, with JMLSG guidance. However, without further thought and potentially some changes to how elements of GPG45 are intended to be used, and how data is shared, implementation will not be optimal and barriers will continue to exist for relying parties.”

So far, Verify continues to be the only GPG45-based scheme around. It’s certainly not unfair to assume there are good reasons for the lack of wider take-up.

What next?

It would, of course, be nice if GDS told us what was going on and what the plans are for IAX. It would be good to see the results of the consultation into how the private and public sector could work together on digital identity – which were first promised by the end of last year, and then in Spring 2020, but have still not been published. And it would be helpful to know what’s happening with the trial of offering access to passport data to private sector ID providers, that was due to start in April.

But, as Computer Weekly has reported on several occasions, GDS doesn’t want to talk publicly about Verify and its digital identity plans. Not a great omen for interoperability and collaboration.

As DCMS re-engages with digital identity in the coming weeks and months, we will undoubtedly start to hear more about IAX. Everyone involved in the market will hope that GDS has learned the lessons that led to Verify’s costly (£175m and counting) failure and that past mistakes around private sector co-operation will be avoided this time around.

Data Center
Data Management