Claude Wangen - stock.adobe.com
Scotland digital identity prototype pilot successful
Digital Identity Scotland’s 10-week test of its digital identity prototype finds that users understand the concept of two-factor authentication and using the same credentials across services
The Scottish Government’s testing of a digital identity prototype has instilled confidence that users understand why and how they can benefit from a digital identity system, according to Gavin Ross, policy lead for digital identity in the Scottish Government.
Digital Identity Scotland undertook a 10-week project between January and April 2020 to build and test a prototype of its digital identity system with real users.
The project followed a competitive tender project where Mydex CIC, a platform provider for digital services and the Digital Health & Care Innovation Centre, was awarded the contract to test the technical feasibility and usability of the proposed service.
The project was completed on time, and the government, together with Mydex CIC, has published a report on the prototype testing.
The objective of the project was to “build an attribute prototype to test a conceptual architecture for delivery of an attribute-led approach to delivering an identity service and wider attribute service across Scotland for the benefit of citizens and public service providers to reduce friction, effort, risk and cost, and improve the experience and outcomes from accessing public services,” the report said.
The prototype was used for two different use cases: using data generated by the Young Scot National Entitlement Card application process to open a bank account, and speeding up the application process for the Independent Living Fund.
“The prototype has built the technical infrastructure that enables individuals to create a set of credentials for accessing government services and their own attribute store linked to the credentials in which they can accept verified attributes from public service providers, to store these attributes safely in their attribute store, and to forward them to relying parties, when asked, for the purposes of service application or provision,” the report said.
“There is a dedicated stateless hub operating that orchestrates all the activity between the specific web apps and other components in the architecture. Each journey outlined in the scope of the project can be demonstrated.”
The project also undertook research to look into different forms of authentication, beyond a simple username and password. This included one-time codes sent to a phone, authenticator apps installed on a phone, dynamic push notifications to a phone running an authenticator app, and using the fingerprint or facial recognition software on a phone.
The project found that not all transactions required the same level of authentication, and identified a need for “configurability and preferences to be expressed from both the service provider (relying party) and citizen’s perspective”.
“Consideration should therefore be given to support for different levels and forms of multifactor authentication based on context of use and preferences of citizens,” the report said.
The users also quickly understood how they could benefit from using the same credentials across services, removing repetitive form filling and having to show evidence and ID over and over again.
However, users had “less understanding of the potential value to themselves and to service providers of verified attributes and how this could speed up application processes and reduce cost, risk, effort and friction within the back-office processes of service providers”.
“This is an area for future co-design and research as an appreciation of the benefits would be a strong motivator for seeking access to and sharing verified attributes,” the report said.
During the project, users also raised issues around data security and user control, where they did not fully understand what safeguards were in place. The report said citizens wanted to be able to “store additional information in their attribute store, even where it was not verified”.
“More design and research is needed to better explore how best to convey the benefits and key areas of understanding around security and control. The prototype would benefit from extensions in capability to test different communications and journeys with a wider group of citizens and additional use cases,” the report said.
Digital Identity Scotland will now move forward with the development of a digital identity system, including undertaking an options appraisal for creating an attribute ecosystem across Scotland, learn from projects already implementing digital identity, and continue testing, research and design.
Scottish Government’s Ross said the project had found that by understanding user needs, it would be able to develop and communicate the benefits of using Digital Identity Scotland. “For instance, speeding up access to public services, whilst also maintaining privacy and reducing the risk of security or data breaches,” he said. “We are now moving towards the next phase, where we take all this activity and all we’ve learnt and plan for a Beta service.”
Back in 2018, the Scottish Government carried out a discovery exercise for its identity service and assessed alternatives such as the Government Digital Service’s digital identity service Verify, which was considered to be “well placed to provide assured digital identity services”.
However, it found at the time that there were “potential issues” with Verify’s reach and “other players in the market that could provide plausible alternatives”.
Read more about digital identity
- The tech sector has waited over a year for the government to respond to its consultation on digital identity, and when it came, the plan could hardly be more disappointing.
- Long-awaited response to July 2019 consultation highlights private sector demands for digital identity support from government.
- More than a year after first announced, the government has launched a year-long pilot of its post-Brexit digital identity checking service.
- The government’s attempts at digital identity have failed – it is time for a new, modern approach.