James Thew - Fotolia

High-assurance identity top priority for government and finance

The UK government and financial sector is working together to meet the need for high-assurance identity globally

Creating persistent identities that are validated to the right trust levels is key for online banking, insurance and legal services, according to Sandy Porter, co-founder of identity assurance firm Avoco Secure.

“This is about providing the right level of assurance, to the right service at the right time,” he told the Consumer Identity Summit in Paris.

According to Porter, it currently take around 28 days to “onboard” a customer for online banking and typically involves visiting a bank to complete the verification process.

“Banks are among the drivers of concept of high-level consumer identity because ultimately they would like to do the whole onboarding process online and reduce it do around eight minutes,” he said.

For this reason, the banks and other financial sector organisations have been working with the UK government on the development of its Gov.uk Verify identity assurance system.

There is growing market demand, said Porter, for flexible assurance services that incorporate personal data stores and attribute exchanges to add increasing layers of value to identity.

“We are now seeing the emergence of dynamic authentication options that link things such as device ID and location awareness,” he said.

Porter emphasised that this is all being done with user consent to supply information from multiple sources using dynamic attributes and services.

“Together they raise assurance levels and generate multi-directional trust, which is key to enabling trusted services,” he said.

In this way, Porter said a secure, verified identity can be created that keeps building value. “What we are really talking about is a bonded identity, and you are continually building on that identity. The more you build, the more valuable it is, and the more important security and privacy is within it,” he said.

Read more about Gov.uk Verify

Gov.uk Verify, for example, builds from trusted sources such as UK passport, UK driving licence, UK bank account and financial records.

“The service is provided by eight different companies that have been certified to government standards, but it is all done all online, there is no need to verify anything in person,” said Porter.

The first step in the Gov.uk Verify validation process is to capture user-provided evidence of identity, this is then checked to ensure that it is genuine.

The third step involves verification through knowledge-based questions, physical verification or biometric verification.

“There is a lot of focus on finding alternatives to knowledge-based questions, though, because users hate them and fraudsters probably know the answers better than they do,” said Porter.

“What we need to be thinking about is linking things such as registered address, device identity and registration and device location, which would be much easier for the user,” he said. 

The fourth element of Gov.Uk Verify’s validation process is full fraud checking, including mortality checks, and identity theft checks.

“This all adds value to the identity, which is re-checked every 180 days to ensure that it all remains valid through time,” said Porter.

“The real opportunity is that government IDs can be uplifted for consumer use and vice versa, with government very keen to build off of bank IDs,” he said.

Read more about consumer identity

Porter said Avoco Secure is working with Royal Mail Group and HSBC to create high-assurance consumer identities, while Capital One, Barclays, Aviva, credit reference agencies and others are working together.

“The Gov.uk Verify programme has created the standards, which is what has excited the banks. Instead of doing their own IDs in siloes, they working together to solve a mutual problem globally, not just in the UK,” he said.

A model is emerging where attribute exchange services or hubs provide verification services by plugging in to mobile, business, education and other data sources to create a “golden record” to create a new and trusted ID.

Once a high-assurance consumer ID is established, it can be used to provide other services to users such as personal data stores, payment authorisation, consent-based marketing, anti-money laundering checks and IoT (internet of things) control consoles managed through devices such as Amazon Echo.

Using this approach, there is an opportunity to provide personal data management services which give users access to a data management console for storing self-asserted and trusted attributes.

“This would allow citizens to update their details and manage credentials, to track who has requested what attributes, and to consent to share with services for tailored marketing,” said Porter.

“High assurance ID, plus trusted attribute exchange and personal data management in one is already happening,” he said. ... ... ..... ... ... ... ... ... . ... ... ...

Read more on Identity and access management products