Patryk Kosmider - stock.adobe.co

Government projects watchdog recommends terminating Gov.uk Verify identity project

Infrastructure & Projects Authority says Whitehall departments are unwilling to fund flagship GDS identity programme – cancellation would mean writing off at least £130m spent so far

The UK government’s major projects watchdog has recommended that the Gov.uk Verify identity assurance programme should be terminated.

The Infrastructure and Projects Authority (IPA) conducted a review of Verify, the government’s flagship digital identity system, in July, and found Whitehall departments were reluctant to continue funding the project.

The Government Digital Service (GDS) had submitted a business case for a “reset” of the troubled programme that required extra budget for further development and to pay the external identity providers (IDPs) that underpin the system, but sources say there is little appetite in the Treasury to provide additional funds for a project that is seen to be failing. Three-year contracts with the IDPs are due to end this month.

GDS is understood to have spent at least £130m on Verify so far, most or all of which would be written off if the project folds. The IDPs are required to support existing Verify services for 12 months after their contracts end, but sources say further funding would be needed to pay the companies during that period. GDS has not announced any plans for a new procurement exercise to sign up new or additional IDPs.

IDPs are paid a fee for every Verify identity they assure, and renewal fees every year for existing users. Those charges were intended to reduce as the volume of Verify users grew, but adoption of the system has been poor.

In 2015, when GDS appointed the IDPs, “the government's aim [was] that all the central government services that need identity assurance for individuals will be using Gov.uk Verify by March 2016,” according to the contract notice published at the time.

Originally known as the Identity Assurance programme, the Verify project started in 2011, and eventually went live in 2016 after a series of delays. In 2017, the government committed to having 25 million users of Verify by 2020 – a promise that also made its way into the Conservative Party manifesto for the general election last year.

Keeping the promise

However, to date, only 2.7 million people have signed up to Verify, and the system is used on only 18 digital services. To meet the target by the end of 2020 would require 800,000 new users for Verify every month. In August, about 140,000 people registered for the service.

Sources suggest that GDS hopes to make a case to continue with Verify. Just this week, it announced three further digital services using Verify had reached the “private beta” testing stage, although none of the services have a launch date.

On 28 August, GDS formally notified the European Commission that Verify is ready to seek approval as the UK’s identity system as part of the EU-wide eIDAS programme – a move that came after GDS learned of the IPA recommendation.

GDS is also understood to be making a case that Verify remains essential to the ongoing roll-out of Universal Credit, the government’s new benefits system. But even there, the Department for Work and Pensions has had to develop an additional identity system after finding that hundreds of thousands of benefits applicants could be unable to register successfully on Verify.

Other areas of government have also rejected Verify and are working on alternatives. HM Revenue & Customs is working on a new version of its existing Government Gateway, while NHS England is developing its own identity system, after saying Verify is not secure enough for the health service. The Scottish government is also pressing ahead with its own digital identity plans, with the aim of producing a prototype this year.

Departments have been put off by Verify’s weak record at successfully registering users. The system works by IDPs using publicly available data sources, such as passports, driving licences and credit histories, to prove the user is who they say they are. However, the model has proved unsuccessful, with fewer than 50% of all users being able to set up a Verify identity when they try.

Read more about Gov.uk Verify

There are also question marks over the commitment of the IDPs – also known as certified companies. A report by McKinsey for the Cabinet Office showed that more than 80% of users chose two of the seven IDPs – Experian and the Post Office – leaving Digidentity, Royal Mail, Barclays, Citizen Safe and Secure Identity to pick up the remainder between them.

Other digital identity companies have complained that they are locked out of competition for digital government users and that the Verify model has effectively subsidised the set-up costs for the seven IDPs using taxpayers’ money.

Should Verify be terminated, the true costs to government may never be known. The £130m spent by GDS does not include work by Whitehall departments that have integrated Verify into their services, nor the cost of replacing it. Those departments that have already had to develop their own identity system will also have incurred significant cost that would not have been required if they had been able to fully adopt Verify.

The IPA is responsible for overseeing the biggest and most important projects across government, many of which are digital initiatives. It regularly reviews major projects to help identify and resolve problems and rates those projects on a "red / amber / green" scale to flag up failing programmes that require attention. The IPA’s annual report, published in July this year, rated Verify as “amber”, having been “amber/green” 12 months before. An amber rating is defined as: “Successful delivery appears feasible but significant issues already exist, requiring management attention.”

A National Audit Office report in March 2017 questioned the future for Verify. “Reduced take-up means Verify will need to be centrally funded for longer, and reduces the incentive for the identity providers to lower their prices over time… It is not clear how or when GDS will determine whether continuing with Verify will achieve projected benefits,” said the report.

Nic Harrison, the head of the Verify programme at GDS, is leaving his job this month and no replacement has yet been announced.

Computer Weekly revealed in June that GDS had lost responsibility for digital identity policy to the Department for Culture, Media and Sport, but retained ownership of Verify. The government is working on a review of digital identity policy and is expected to set out its approach in the coming months.

The Cabinet Office and GDS declined to comment, and did not offer answers to Computer Weekly's questions on the future plans for Verify.

Read more on IT for government and public sector

CIO
Security
Networking
Data Center
Data Management
Close