Patryk Kosmider - Fotolia
The business case for Gov.uk Verify, the government’s controversial online identity system, was signed off in 2015 on the expectation of a 90% success rate by April 2016, Computer Weekly has learned.
But as of today (10 August 2017), the service is still recording a completion rate of less than 50% for new users – raising further questions about whether Verify can deliver the anticipated benefits.
The “vision” for Verify outlined in the May 2015 business case predicted that “90% of people can verify their identity online with a 90% success rate by April 2016”, according to documents seen by Computer Weekly.
The forecast cost savings from Verify further assumed that, by 2019/20, it would be adopted by 80% of the 77 digital public services identified as the likeliest users of the tool, with 95% of citizens accessing those digital services using Verify – and with 90% of those people able to successfully establish their identity.
To date, however, Verify is used by just 15 digital services, with only 46% of citizens using those services able to successfully create a verified identity. Of those who do create an ID, only 37% on average are subsequently able to access the digital service they intended to use.
Only 1.42 million Verify accounts have been set up so far – but the government this year adopted a target of having 25 million users of Verify by 2020.
Predicted cost savings
The business case predicted £71m of annual cost savings by 2020, with running costs of £37m. It also claimed a further saving of £263m by avoiding departments spending money on developing their own identity systems and using Verify instead.
HM Revenue & Customs (HMRC), however, continues to develop its own Government Gateway system for identity checking.
The document also claimed that Verify could save £200m-£300m over five years by reducing fraud and errors in benefits and tax credits – although that figure was derived from an analysis by the Gov.uk Verify team in the Government Digital Service (GDS) and does not appear to have been independently checked by fraud experts.
The business case said £36.4m had been spent on building Verify up to May 2015, with about £60m more needed to develop and maintain the system for a further five years.
Computer Weekly asked the Cabinet Office for details on the current state of Verify, its progress compared to the 2015 business case, and what is being done to ensure the 2020 targets will be achieved. In response, a Cabinet Office spokesperson said: “Since 2015, almost two million people have signed up to Gov.uk Verify – and we are continually reviewing and developing the user journey for the public.”
The business case document also revealed that in 2015, Verify was costing £8 to register a new user and £4 per user per year for repeat use. It said that reaching 20 million users by 2019/20 would see these costs fall to £2 up-front, then £1 per year. These fees are payable to the third-party identity providers that establish a citizen’s online identity before they can access government digital services. Contracts with these providers work on the basis that per-user costs diminish as more people sign up.
However, even those lower amounts compare unfavourably with commercial online identity tools for consumers. For example, Microsoft’s Azure Active Directory, which is described as “a cloud-based identity and access management solution for your consumer-facing web and mobile applications”, charges just £0.00209 – one-fifth of one penny – per user authentication up to 950,000 users, dropping to £0.00157 for nine million users.
HMRC is believed to have discussed the potential use of Microsoft’s product – the supplier was heavily involved in the development of the original Government Gateway in 2000/2001 – but there is no suggestion that those discussions have led to any specific plans.
At the end of 2015, GDS received a £450m budget as part of then-chancellor George Osborne’s spending review – based largely on the GDS business case, with Verify one of the main programmes receiving funding.
GDS has not spent all its allocated budget on Verify since then, because the lower-than-expected user take-up means it has not had to pay the identity providers as much as anticipated.
Last month, GDS launched a new version of Verify that allows for identity assurance at a much lower level of security, known as LOA1 (level of assurance 1), which is effectively little more than a system to set up a username and password - although the Verify implementation of LOA1 will include an additional verification step to provide some assurance that the user is who they say they are.
GDS hopes that more government departments will adopt Verify using LOA1 as a start point where they do not need the higher assurance level previously available.
Verify rethink needed?
Independent government IT experts have called for Verify to be reviewed, claiming it is unlikely to achieve its targets and should be halted now and the plans reconsidered.
“It is time to be brave and ignore sunk costs – investment to date and contractual exit costs, if any – and let [Verify] go,” said Alan Mather, former CEO of the Cabinet Office e-delivery team – a predecessor of GDS – writing on his personal blog. “It hasn’t achieved any of the plans that were set out for it and it isn’t magically going to get to 20 million users in the next couple of years.
“Verify started out trying to solve a different problem. It isn’t seen, and wasn’t conceived, as part of a cohesive whole where the real aim is to shift interaction from offline to online. In its current form, it’s on life support, being kept alive only because there’s a reluctance to deal with the sunk costs – the undoubtedly huge effort (money and time from good people) it’s taken to get here. But it’s a ‘you can’t get there from here’ problem. And when that’s the case, you have to be brave and stop digging.”
Read more about Gov.uk Verify
- GDS is leading pilots of using identity assurance system for local authority digital services.
- The government’s Verify identity verification platform isn’t secure enough for the NHS.
- GDS, HMRC and Verify: so much for cross-government digital collaboration.
In an article for Computer Weekly published in May, Jerry Fishenden, former chairman of the Cabinet Office’s Privacy and Consumer Advisory Group, said: “Gov.uk Verify is displaying the worrying and familiar symptoms of a troubled government programme.”
He added: “Some six years since its inception, the Gov.uk Verify platform is struggling to establish itself as a viable service. This failure is having knock-on consequences. According to government insiders, Verify’s poor performance and lack of departmental buy-in is undermining the more important work under way to establish a trusted identity assurance framework able to work across both private and public sectors.”
Calling for Verify to be “reset”, Fishenden said: “A significant amount of money, time and resource have been sunk into the Verify platform, but without delivering the results desired or the success repeatedly promised. GDS needs to follow the principle of ‘physician, heal thyself’ and rigorously apply its own guidance to itself – from a fundamental and honest reappraisal of user needs, through to a fundamental review of the original business case and the assumptions it made.”
The National Audit Office has also been critical of Verify. In a report published in March, the government spending watchdog said: “It is not yet clear whether Verify will be able to overcome the limitations that have prevented its widespread adoption across government, or whether attempts to expand in other ways will be successful in encouraging departments to adopt it. Take-up and cost projections remain optimistic.”