gosphotodesign - Fotolia

Digital identity market welcomes plan to hand Gov.uk Verify to private sector

Players in the UK digital identity community welcome the clarity over the future of Verify, but question marks remain over prospects for government ID system

The UK’s digital identity community has reacted positively to the government’s announcement that its Gov.uk Verify system will be handed over to the private sector in 2020.

But while the news was welcomed by firms that are likely to become commercial competitors for the Government Digital Service (GDS) system, there are still question marks over Verify’s ability to compete in this emerging market.

Last week’s Think Digital Identity for Government conference in London was the first opportunity for digital identity players to publicly discuss the future since the Cabinet Office revealed in October it will cease investment in Verify in 18 months’ time, and hand it over to five of the identity providers (IDPs) that currently hold a monopoly on digital IDs for the public services that use Verify.

Ian Imeson, senior identity architect at supplier Signicat, said that “pushing Verify into the private sector is a real opportunity” – with the implication being the “real opportunity” is for ID companies such as his. For some time, suppliers have resented the exclusivity given to the GDS IDPs, claiming this has hindered growth of a wider ecosystem.

Harry Weber-Brown, digital innovation director at TISA, a financial services trade body that’s leading efforts to develop digital identity standards and agreements across the sector, welcomed the fact there is “much more certainty over where Verify is going over the next 18 months”.

TISA has been liaising with GDS with the aim of ensuring interoperability for digital identities between government and banks. There’s a certain irony here, in that GDS’s leaders in the early days of Verify were keen to involve banks as IDPs to broaden the appeal to Verify beyond the public sector – but only Barclays signed up. It’s taken financial sector regulation such as PSD2 to encourage banks to take cross-industry identity seriously.

Identity interoperability

The recurring theme at the conference was interoperability – the need for consumers/citizens to be able to create a digital identity with one private sector company, and to re-use it with other companies and also government, and vice versa. This has been a Holy Grail for digital identity in the UK for many years, and a challenge that has yet to be fully cracked.

Some small progress came in September as the EU’s eIDAS Regulation came into force, enabling interoperability of state-backed digital identity schemes across the bloc. It’s now possible for a German citizen in the UK to access their HM Revenue & Customs (HMRC) digital tax account by using their German-issued digital ID. Further compliant services are expected to follow – assuming the UK is still part of eIDAS after Brexit.

But within the UK, there’s a long way to go before digital identities become ubiquitous and portable. The big question is: will the new strategy for Verify stimulate the market as the government hopes?

Most [digital] identities will be created outside of the public sector
Julian White, GDS

As recently as July, the Cabinet Office’s major projects watchdog, the Infrastructure and Projects Authority, recommended that Verify should be terminated because Whitehall departments had lost confidence in the system and were unwilling to fund further development.

GDS subsequently signed contracts with five of the seven IDPs previously involved with Verify to hand the system to them in 2020, with the aim of Verify becoming self-funding for government – that’s if you don’t include the more than £130m GDS has spent developing Verify to reach this point.

Verify’s success rate continues to disappoint – the monthly average for completed verification has fallen to 44% as of October. In other words, 56% of people who try to create a Verify identity are unable to do so. Many experts point out that no commercial product could hope to be successful with such a poor performance.

Universal Credit

One of the great hopes for improving adoption of Verify is the Department for Work and Pensions (DWP), where its Universal Credit system uses Verify for setting up digital identities. When Universal Credit is fully rolled out, expected by the end of 2023, it could bring millions of new Verify users.

The business case for the new welfare programme originally expected to use Verify for 90% of claimants, but as Computer Weekly revealed in March, tests as long ago as 2015 showed that benefit claimants – often people with little digital footprint – only reached a 35% verification success rate.

DWP had intended to develop its own digital ID system to complement Verify, but Cheryl Stevens, deputy director of identity and trust services at DWP, told Computer Weekly that plan was not followed through. Universal Credit (UC) claimants must now use either Verify or visit a Jobcentre to set up a login in person.

Stevens admitted that UC was achieving a lower success rate than Verify’s 44% average. This means that perhaps as many as 60% of claimants need a face-to-face session at a Jobcentre. Observers can only speculate at the extra costs associated with staff, time and resources for DWP in setting up 60% of users manually, instead of the originally anticipated 90% use of Verify.

Stevens also would not rule out the possibility that Universal Credit could accept non-Verify digital identities at some point in the future, but said there are no current plans to do so.

Several speakers at the conference – including Stevens – said GDS’s biggest mistake with Verify was setting too high a hurdle for creating a digital ID. GDS designed Verify to be able to establish a user’s identity to a level of proof that would hold up in court – known as LOA3 assurance.

Even for users other than benefit claimants, many found their digital footprint – such as credit records, driving licence, passport – was insufficient. LOA3 assurance has proved to be too high for widespread adoption. That’s a factor that put off some major government departments, such as HMRC, in the early days. GDS has since tested a lower form of assurance, called LOA1, but it’s not yet widely in use.

Commercial model

Another major problem for Verify has been the lack of a commercial model to allow its adoption in the private sector. GDS has widely consulted industry on this, but has failed to find the answer.

These commercial issues were a factor in GDS losing policy responsibility for digital identity in June to the Department for Digital, Culture, Media and Sport (DCMS). The conference was also the first chance for GDS and DCMS to share a stage since that somewhat acrimonious transfer of power.

Andrew Elliott, deputy director for digital identity at DCMS, acknowledged that, commercially, “Gov.uk Verify is not the right model yet”.

“What is the commercial model that will work for everybody?” he asked, rhetorically, adding that it’s “not been clear” so far. Between them, GDS and DCMS have until the end of the 18-month handover period to find out.

Julian White, identity advisor at GDS, said that after that period, “most identities will be created outside of the public sector”. But he was unable to say when Verify users will be able to use their digital ID to access private sector services other than those provided by the existing IDPs, nor when a non-Verify private sector ID would be accepted for logging in to a government service.

Significantly, Elliott confirmed that DCMS is looking to open up the document checking service, developed by GDS for Verify, to third parties. The service allows ID providers to digitally check user credentials against public sector databases such as passports and driving licences, which are considered the “gold standard” for government-assured identity data.

Read more about digital identity

Signicat’s Imeson said the government needs to open up more public sector data for this purpose, claiming it would be an even more important move than setting UK-wide standards for digital IDs.

A further acknowledgement from GDS was that its focus for Verify has been too government-oriented. Alastair Treharne, head of identity standards and fraud prevention at GDS, said: “Historically, we have had too much of an internal government focus.”

He said that in the future, the initial registration is more likely to be created in the private sector, moving away from establishing IDs purely to access public sector services. It’s a realisation that for all the intent behind Verify becoming a widely used system, not enough was done to make it attractive to the private sector.

Greater collaboration

It was clear from discussions at the conference that the future for digital identity in the UK lies in greater collaboration – between government and the private sector, and within industry sectors to understand their specific needs. Digital identity is not short of representative bodies and membership forums that have been working together for many years to agree standards.

In the UK, cultural issues are another hindering factor. Britain is one of the few European countries without identity cards, and it’s still considered politically difficult to have even a unique identifier for every citizen as part of a digital identity ecosystem. This, despite all UK citizens having national insurance numbers without any complaint.

According to Imeson, in the Nordic countries, where he said citizens have a greater degree of trust in their government, there are already five billion transactions per year using digital identities. Many Nordic citizens use their single digital identity for a wide range of online services, public and private, instead of having to create multiple logins and passwords like people do in the UK.

Verify was meant to overcome the UK’s cultural resistance by taking a federated approach, avoiding a central government ID database and using IDPs as the beach-head for creating a national digital identity market. GDS is still confident that handing Verify to the private sector can stimulate a wider ecosystem, and experts at the London conference tended to agree. What’s less clear is how big a role Verify itself will play in that market.

As one speaker at the conference said, digital identity is just hard to do. As the UK government has found out.

Read more on Identity and access management products

Data Center
Data Management