Identity Assurance: Who wants to be an Identity Provider?

One of the more contentious areas of debate about the Identity Assurance programme has been the selection of potential Identity Providers (IdPs), not so much for who is on the list, but who is absent. DWP’s candidates for the first tranche of delivery include Cassidian, Digidentity, Experian, Ingeus, Mydex, PayPal, Post Office and Verizon. But when Identity Assurance was first announced, there was an expectation that we would see a list of banks, telecomms providers, credit reference agencies, social networks and online retailers.
So who wants to be an IdP?
The simple answer is that only those companies who saw a compelling commercial or strategic reason to bid, chose to do so. There was no radical downselect in which the list of potential IdPs was thinned out, because they didn’t bid for the role in the first place.*
The objective of Identity Assurance is to provide an affordable, user-centric mechanism that allows individuals and businesses to transact with government online, in support of key government deliveries (e.g. Universal Credit) and the shift to Digital by Default. In keeping with the shift to transaction-based procurement championed by G-Cloud, DWP is not paying these companies for a classic systems integration contract, but is instead incentivising them with a transaction payment if they provide the service DWP needs.
Specifically, in this first instance each IdP can receive a single payment, per-user, per-annum, triggered by the user’s first authentication to DWP with their IdP. The payment is proportionate to the channel used to access DWP services (e.g. online, telephone, face-to-face), and the price paid will be established by a further competition between the IdPs to compete for the lowest price.
This price model is one that is designed to incentivise these new IdPs to bring in as many customers as possible, since they receive their payment when the new customer starts using the service. If you’ve got your thinking hat on then you’ve already spotted that this model can be exploited by the IdPs: if a customer chooses to register and access DWP services through all eight IdPs, then each IdP gets paid (under Identity Assurance principles, DWP has no mechanism to enforce uniqueness across providers). With the low volumes of registrations involved at this stage, that’s not a problem, but it’s not a sustainable commercial model for the long term.
Furthermore, there’s a lot of risk for the IdPs in this programme: they’re not being paid to build, so they’re accepting all the delivery risk; and they will only generate income if they successfully persuade customers to choose their service over the other IdPs’ services. Only businesses who have an existing interest in this space (e.g. Digidentity), or a strategic interest in the success of Identity Assurance (e.g. Mydex) are willing to accept the high levels of effort and risk in return for the relatively low early rewards. For banks, telecomms providers or major e-commerce providers, the market lacks the maturity or certainty of reward to incentivise participation at this early stage. They’ll come along in future rounds of procurement.
And which ones are going to win?
The winners in the Identity Assurance market will be the IdPs who can persuade customers to select their services over those of other IdPs. The key factors for customers selecting a specific IdP will include:
  • brand: how much customers trust the IdP’s brand for these services;
  • channel: availability of the IdPs’ service in the customer’s chosen channel (online, telephony, face-to-face);
  • value-add: whether the IdP service is integrated with other attractive propositions, such as telecomms, payments or e-commerce.
So how does that list of chosen IdPs stack up against these criteria?
  • brand: Arguably only two of those brands are household names, but remember that these are the prime bidders – many of the bidders will be supported by partners who have dominant online and high-street brands.** When Identity Assurance launches you can expect to see plenty of names you know and trust.
  • channel: Post Office is clearly dominant in the high street, but there’s less clarity about the other IdPs’ channel presence. That will change when their partners ‘uncloak’ and we see mobile telecomms providers and ISPs appear within the delivery partners.**
  • value-add: This is the trickiest proposition area, but one in which Experian and PayPal would appear to have a strong competitive edge. If Experian can sell credit reference data to government at the same time as the customer authenticates, then they might well offer their Identity Assurance service for free; likewise, one could imagine PayPal offering identity services to government for free if the customer pays or receives funds through PayPal as part of the transaction.
And it’s this last point which will determine the direction of travel for the market far more than any other factor. Once one IdP offers their services ‘for free,’ then others will be obliged to follow in the commoditisation of Identity Assurance, and the dominant IdPs will be those which have successfully abstracted the business model for Identity Assurance away from a simple transactional delivery, and into a more mature integrated model. A market such as this favours mobile network providers and payment services, and with the inevitable convergence of those markets anyway, I’d expect to see a lot more interest from them in the next round of Identity Assurance delivery. The market will also favour the natural agility of SMEs over big incumbents who will need time to flex their existing business models to adapt to the world of Identity Assurance. As these companies watch the emergence of Identity Assurance, more and more will sit up and take interest.
Who wants to be an Identity Provider? A lot more companies than know it today.
* I’ve not been party to the actual selection process in DWP, but since to the best of my knowledge no organisations have come forward complaining that their bid was unsuccessful, we can assume that the list of IdPs is pretty much confined to those who submitted bids. So, in response to the question “why are these the selected IdPs?” the answer is “because they’re the companies who bid for the role.”
** Yes, I know who some of those are, and if you search around you’ll find some of them for yourself. No, I’m not mentioning them here because I might be entering into NDA territory.