https://gds.blog.gov.uk/2014/01/23/what-is-identity-assurance/

What is identity assurance?

Identity assurance is a new service that will give people a secure and convenient way to sign in to government services.

Why we need identity assurance

The 25 exemplar services (the government services that make up the digital transformation programme) will make it possible to do a range of things you can’t easily do online now; like register to vote, view your driving record or tax details, apply for an apprenticeship and manage your student loan.

When you use these services, you want to be confident that someone else can’t sign in pretending to be you, see your sensitive personal records or use your identity to make fraudulent claims. You want to be confident that your data and services are secure and your privacy protected.

The government departments providing these services need to verify your identity to make sure the right people are accessing the right information. That’s why we’re building the identity assurance service.

Verifying your identity - GOV.UK

How we will provide user choice, control and privacy

When you’re using digital services you want to be sure that your privacy is being protected and your data is secure.

We’ve been working for the last three years with our Privacy and Consumer Advisory Group to help make sure we’re designing a service based on user choice, control and privacy.

Last summer the group published a draft set of identity assurance principles to make sure the service is designed and operates in a way that is transparent, protects your privacy and gives you control over how your data is used. We will  be publishing a document in the next few weeks explaining in detail how we’ve designed the service to reflect the principles.

Who will verify your identity

When one of these digital services needs to verify your identity, you’ll be directed to a page on GOV.UK where you’ll be asked to register with an identity provider. If you’ve already registered, you can just sign in.

Identity providers are organisations paid by the government to verify people’s identity so they can sign in securely to government services. Identity providers will have to meet industry security standards and identity assurance standards published by the Cabinet Office and CESG (the UK’s national technical authority).

There are currently 5 identity providers - Digidentity, Experian, Mydex, the Post Office and Verizon - eventually there will be more. You can choose to register with more than one of them, and you can stop using an identity provider at any time.

Why we’re using identity providers

There are 5 main reasons why we’re using identity providers rather than doing this work within government:

1. user choice - you will be able to choose your identity provider(s) and stop using a provider if you want

2. no centralised identity database - instead, to protect users’ privacy, each identity provider will be responsible for securely and separately holding data about the users that have registered with them. Each government department service will only have access to the data it needs.

3. security - using several identity providers is more secure and less vulnerable; there is no single point of failure and no single service that holds all the data in one place

4. developing a market - we’re giving identity providers freedom to design services to meet the standards. This will allow them to develop services that can be used by the wider public and private sector, which will help to reduce costs.

5. making the most of available technology - the technology and methods for identity verification are constantly evolving; specialist private sector organisations are better placed than government to keep up with these developments

Identity providers will have to operate according to strict security and operations standards, to protect users’ security and privacy and to make sure the required standards are met.

How the identity assurance process works

Your chosen identity provider will ask you for some information that helps establish that you are who you say you are. No single piece of information is sufficient to achieve the required standards; they will need to ask you for a range of information.

Identity providers will check to make sure information you’ve provided is valid and genuine. Your chosen provider will be able to send your passport and driving licence details to the government agency that issued them to ask if they match a valid record. Identity providers will also be able to check databases of known fraudulent documents, including police databases. They won’t have access to confidential information held about you by other government services. They can check other records they have access to from within the private sector, like information from credit reference agencies.

One of the benefits of the new service is that most people will be able to complete the registration process online, without having to wait for documents or instructions to be sent in the post as happens with existing services like Government Gateway.

We’re working with the identity providers to make sure that people who don’t have specific official documents like a passport or driving licence will still be able to achieve the required level of assurance through other means.

Once the identity provider has verified your identity, you will be given a secure means of signing in.

Different levels of assurance for different services

Some services don’t need to know who their users are. If you want to order a document, the service provider only needs to know where to send it. Other services will need to be more confident that you are who you say you are; for example, if you’re going to be able to see sensitive personal details, or make a claim for payment.

Each service will assess risks by considering things like whether sensitive data can be seen and whether money transactions take place, in order to decide what level of identity assurance they need.

The guidance on how to assess risks to online services is published on GOV.UK.

Identity assurance will initially be available for services that need to be confident that a user is who they say they are to ‘level of assurance 2’ according to the published guidance. This is a moderate level of security, more than just a basic check, and enough to be able to access quite a big range of services.

What’s next

By March 2014, we will be in private beta and the first users will be able to use identity assurance to sign in to a government service. The private beta is the first version of the service, available to a small number of selected users so we can test and develop it further.

The private beta will initially include two exemplar government digital services - HMRC’s PAYE and DVLA’s view driving record service. These services will use identity assurance to allow about 2,000 users to sign in securely. We’ll use the private beta to learn from our first users’ experiences and continue to develop the service. From April onwards, we’ll start adding more services and more users.

We’ve been blogging about our work on the GDS blog and more recently on our own identity assurance programme blog. We’ll be producing a lot more posts over the coming weeks and months; looking at different aspects of the service, sharing what we learn from the private beta, reporting on our ongoing user research and hearing your feedback.

We have a range of topics we’re planning to post about, and we’re keen to answer questions like the ones Paul Clarke posed in his recent post. If you have any issues you want us to cover please let us know.

Follow Janet on Twitter and don't forget to sign up for email alerts.


You may also be interested in:

Identity Assurance: First delivery contracts signed

Advisory group publishes identity assurance principles for consultation

Identity Assurance: Maintaining Good Practice

42 comments

  1. Josh Tumath

    It's great to finally hear how user accounts on government services will work. I can't wait to see its use in a public beta.

    However, how will users chose which identity provider to use? I can imagine most people making their choice based on brand recognition, and the only brand most people will recognise is the Post Office. How will you ensure the userbase is balanced across all identity providers.

    Link to this comment
    • Janet Hughes

      Hi Josh. We will help users by giving a short description and some information about the methods each identity provider will use, to help people choose a provider to suit their needs. But it's up to each user to choose which provider they want to register with.

      Link to this comment
  2. Julie

    I am currently registered with the Government Gateway; my driving licence was linked to my passport to capture my image for the former; I have an account with Experian already. Will this new facility take these into account or will I have to re-register.

    Link to this comment
    • janethughes

      Hi Julie, we'll be working with each service to work out the best way for their existing users to move across to the new way of signing in. At this point, we are assuming you'll need to re-register, because the identity providers will need to go through the process of registering and verifying you in order to meet the required standards. We'll be looking more at this question during our beta to see how we can make sure the required standards are met in the most convenient way for users.

      Link to this comment
  3. Herbert Street

    That's really great news with regard to identity assurance for private citizens requiringour services. Will this or complementary services be provided centrally to cover service providers, practitioners and other businesses who need to access our services ... or will that be down to individual Departments?

    Link to this comment
    • janethughes

      Hi Herbert, yes, identity assurance will work across government services. Once someone has registered, they'll be able to use identity assurance to sign in to all the services that need the same level of confidence about who their users are. Services will start using identity assurance by March and the number of available services will increase after that.

      Link to this comment
  4. Dan Hilton

    Interesting process - can you share how you technically plan to secure a digital service? Will these transactional services live on gov.uk single domain, i.e. having secured and non-secured sections of the website that make use of the IDP hub?

    Link to this comment
  5. Pete

    What guidance is there for those building new government services that require identities - the new scheme will not be available in the immediate future so what steps can be taken to ensure future compatibility?

    Is there a transition plan from the existing Government Gateway to the new Identity Assurance?

    Link to this comment
  6. Stefan

    Unexpectedly, your five reasons feel a bit producer-centric in places, and I wonder whether they would be expressed a bit differently with a more user-focused approach.

    So from the point of view of the system as a whole, having multiple providers is clearly more secure, since as you say, there is no single point of failure. But as a user, I don't care about that, I care whether the identify provider I have chosen to use is secure: if that one fails for some reason, the fact that there are four others which haven't isn't really much comfort.

    Similarly, the fact that there are multiple providers doesn't obviously protect my privacy better than a single provider could do - it may lessen the overall privacy risk, but again, if my privacy has been compromised, I won't be reassured by knowing that the privacy of people using other providers hasn't been. Distributing the risk doesn't inherently reduce or eliminate it: no one retailer can compromise everybody's credit card, but the universe of US retailers seems to have managed to compromise a startlingly high proportion of US card holders.

    To be clear, I am not suggesting that this is the wrong approach - quite the contrary - just that the arguments may look a bit different from the perspective of an individual user than from the perspective of the system as a whole.

    Link to this comment
    • Mike

      Stefan,

      My thoughts exactly, the system is all about .Gov not the user!!!

      Link to this comment
    • Janet Hughes

      Hi Stefan. Thanks for your comment - you're right, we certainly need to make sure that the individual components of the system that each user interacts with are secure and operate in ways that protect their privacy. I was meaning to suggest that, as well as that, users have a need for a secure system, overall, and a distributed approach serves that need better than a single identity provider would. I can see how that could have been clearer though - thank for your the feedback.

      This is a really important set of questions, and as I said I'd like to do another post looking in more detail at this when we publish our response to the Privacy and Consumer Group's identity assurance principles.

      Link to this comment
  7. Terence Eden

    Thanks for explaining exactly what it will be used for - that clears up a great deal of my confusion.

    That said (and there's always a fly in the ointment, eh?) I'm confused about the choice of Identify Providers.

    Verizon - who basically give the US government everything they ask for.
    The Post Office - who I wouldn't trust to mail a birthday card without "extracting" the money inside.
    Experian - who refuse to update credit scores and then try to charge you to see your own information.
    Digidentity - who no one has ever heard of, and appear to be Dutch. Will my data be taken outside the UK?
    Mydex - who, again, no one has ever heard of.

    I sort of like the idea of letting someone other than the Government department validate me - but can we really do no better than these companies?

    In summary - what are my options if I don't trust any of those providers?

    Link to this comment
    • Janet Hughes

      Hi Terence, thanks for commenting and raising these questions. The identity providers will have to demonstrate that they meet operations and security standards before they're able to offer a service to the public under our contracts with them, and there are constraints on what they can do with the data they have access to as identity providers.

      We do need to explain more fully how identity providers will work, what data they'll hold and how they're allowed to use it, and how users' privacy and security will be protected. Some of this will be covered in our forthcoming response to the identity assurance principles. We'll also be writing more on our blog about how identity providers will work. Please keep an eye out for these further posts, we'll be interested to hear your comments and feedback.

      Link to this comment
  8. Dan Craddock

    "4. developing a market – we’re giving identity providers freedom to design services to meet the standards. This will allow them to develop services that can be used by the wider public and private sector, which will help to reduce costs."

    Does this mean a cost to the end user for using one of the providers to access Gov services? I read it as the providers can re-use the identify services they create for Gov in non-Gov/commercial purposes, but would appreciate clarification.

    Link to this comment
    • Janet Hughes

      Hi Dan, thanks for commenting - the government will pay the identity providers for each individual registration; there's no charge to the user.

      Link to this comment
  9. simonfj

    Hi Janet,

    We seem to be at the point now, where we have two design philosophies coming together. The first takes the PSIIF approach where the network "will not be used by citizens or private sector organisations for accessing public facing Internet services". https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/204103/PSIIF_HLTAD__v1.0.pdf It's for citizens on the inside of departmental moats.

    The second is "citizen identity management (and) is covered under the remit of Identity Assurance Programme (IAP) which is being led by Government Digital Services within the Cabinet Office". It's for all insider citizens when they get home from the office/classroom (and they still get complaints).

    One puts security first, the second puts sharing first.

    And somewhere in between we have the EAS, where "employees in local government, schools and other organisations access and share sensitive information in order to improve services for the benefit of children, learners and citizens". (and maybe even governments) https://www.keytosuccess.education.gov.uk/leas/eas.html

    Looking at the comments above, it seems some thoughtful citizens have offered a synopsis of why they aren't afraid of using big brother's services. While Umer and the team is offering some good reasons of why they should stay (with the gatekeepers). https://hmrcdigital.blog.gov.uk/

    Bottom line, as you say, "Some services don’t need to know who their users are". From my perspective, that includes Facebook and Linkedin, where, if I was to prove my identity on a government blog like this, the only credential you would need to know is that I'm a citizen, so I'd use my citizen account, not my Facebook one, to log on.

    Sounds like, if the gov is paying identity/attribute providers by the head, there's an aweful lot of money to be saved, or made, by public gatekeepers, especially those in local government. Mind you, they'd have to treat people like citizens, not (service) users.

    Link to this comment
  10. Simon Shepherd

    Although I have concerns about all government databases - I was an IT contractor at the DOH some time ago and I saw all sorts of information I'd rather I hadn't, e.g. a list of drug treatment patients (I'm hoping things have improved since then) - the one thing I'd really like from a service like this is to be able to update my driving licence. I have an old paper one and as I'm a foreign national with permanent residency, apparently the only way I can update it is by sending my passport through Royal Mail to the DVLA. I travel for work so putting to one side my concerns about sending my main form of ID and residency visa through the increasingly unreliable mail system, I can't be without it for the weeks I am informed I will be without it. Have special cases like this been taken into account, or will I continue to be orphaned from the system for another decade and a half? I haven't had any problems yet, but neither have I had to claim insurance, or been in a dispute that reaches the courts.

    Link to this comment
    • Janet Hughes

      Hi Simon, thanks for your question. Yes, the identity assurance will mean that once a service (like applying for a driving licence) is available digitally, depending on the level of assurance that's needed for that service, most people will be able to register with an identity provider and sign in to the service online rather than having to send documents in the post.

      It's for each department or agency to make its services available digitally - the identity assurance service will just enable people to sign in securely to those services. At the moment, we're working with the DVLA to prepare for their view driving record service to use identity assurance - that's their exemplar service (see gov.uk/transformation for more information about exemplars). The DVLA has a blog about its digital work, so I'd refer you there for more information about their future plans beyond that https://dvladigital.blog.gov.uk/.

      Link to this comment
  11. Simon Shepherd

    Thanks for your response, Janet. I'll head over to the DVLA blog and maybe drop a comment there too, if I think it'll help.

    Link to this comment
    • Rohan Gye

      Hi Simon

      You can already apply to upgrade your paper licence to a photo card licence on-line using DVLA's Driving Licence Online service. Its available via GOV.UK here:

      https://www.gov.uk/exchange-paper-driving-licence

      You won't need to send us your passport via the post if you apply on-line but you will need to register on Government Gateway before you proceed. You should also check the list of all the other things you will need before you start.

      Regards

      Rohan

      Link to this comment
  12. Rohan Gye

    Excellent blog and a very helpful summary of IDA. However, I have received a few queries to clarify some of the points raised here:

    1. Can you please clarify how users "can stop using an identity provider at any time"? I am also interested to know if that provider can retain all the information already gathered or how long they can hold it before they destroy it?

    2. How can users who don’t have specific official documents like a passport or driving licence achieve the required level of assurance through other means?What other means are these?

    3. Will ID providers be able to store/share the data gathered?

    4. Will the ID providers offer a helpdesk service and if so how will customers be able to contact them?

    Thanks

    Link to this comment
    • Janet Hughes

      Hi Rohan, thanks very much for passing on these questions. These are important questions that need fuller answers than I can give in a reply to a comment - we'll be covering these issues in more detail in future posts. However, here are some initial answers in the meantime, which I hope are useful.

      1. Retention of information by an identity provider - we'll cover this issue in more detail when we publish our response to the identity assurance principles, when we will be explaining in more detail how data is passed around and stored. In summary though - as an individual you have the right to have your account removed. In that case, the provider has to remove your account, but will need to retain some limited data for audit purposes.

      2. Other means of verification for users without a driving licence or passport application - The question of how identity assurance will work for people with 'light files' is very important and we and the identity providers will be working on this throughout the beta phase to make sure as many people as possible are able to complete the process easily online. It is more difficult to achieve the required level of confidence without at least one of these documents, because although they are not identity documents they are strong pieces of evidence. But identity providers can ask questions about a range of other types of evidence to reach the required level of confidence, so it will be possible for people without those documents to register and sign in using identity assurance.

      More information about the levels of confidence the identity providers are required to achieve is available in the Good Practice Guides (https://www.gov.uk/government/publications/identity-assurance-enabling-trusted-transactions).

      3. Storing and sharing data by identity providers - identity providers are covered by data protection law and have to protect your data in accordance with that. Also under their contracts with the Government, they have to make sure their users give informed consent to any use of your data. We'll go into this in more detail in our forthcoming posts about data and privacy.

      4. Helpdesk services - we'll be providing helpdesk support through our hub. The private beta process will help us determine what problems arise for users, and what support is required - we'll be developing our approach to user support throughout that process and we'll blog about it as we develop our thinking.

      Thanks again for the comments and questions - they're all important points and I know we need to come back and answer them more fully.

      Link to this comment
  13. Colin

    Hi Janet, very informative. Could you expand on the wholly online theme you touched on. I'm not clear how that would work in terms of providing evidence of who I am. Are you considering smartphone pictures of driving license, quoting passport ids, etc? I'm only familiar with the post office method of turning up in person to the counter.

    Link to this comment
    • Janet Hughes

      Hi Colin
      Thanks for your comment and question. It's up to the identity providers how they meet the required standards - they can use a range of methods, including the ones you've mentioned. They need to look at a range of types of information and evidence about you, so that taken together all the evidence gives them the required level of confidence. If you're interested in the standards, you could have a look at the published guidance on GOV.UK (https://www.gov.uk/government/publications/identity-assurance-enabling-trusted-transactions).

      Link to this comment
  14. Catherine

    I have been looking at the detailed documents you have provided links to, eg the SAML and RSDOPS documents. I see from the SAML that the person's name, DOB, current address and previous addresses will be passed by the Identity Provider to the Public Service provider (PSP). I assume that is so the PSP can match the person to the the right record in the PSP's own database. So will a person be required to tell their Identity provider when their address has changed or will the PSPs get this information directly from the person? Will the identity provider need to verify that change of address?
    What kind of credentials are the identity Providers going to issue to people? Just a username and password? Whatever form the credential takes I hope there will be guidance on adequate checks before reissuing lost/forgotten credentials. Some organisations just send out an email with a link to change your password. This means security can depend entirely on whether your smartphone is locked when it is lost or stolen.

    Link to this comment
    • Janet Hughes

      Hi Catherine, thanks for your questions.

      Yes, you're right, the name / address / gender / date of birth are sent to the service provider so that they can match the person to the right record in their own database.

      It's up to the user to keep their information up to date both with identity providers and service providers. We are looking at developing a way for users to ask their identity provider to update service providers when they change their address or other details, but we're at an early stage of thinking about how this would work and the issues that might be involved. For example, we would need to make sure that such services were based on the user's informed consent.

      The credentials could be a user name and password, but they could take some other form - it's up to the identity providers to make sure they meet the required standards. To meet the standards, identity providers will probably need to use some kind of 'second factor' like a shared secret or a one-time passcode (including in instances when the credentials have been lost or forgotten). The required standards for credentials are contained in good practice guide 44, 'Authentication Credentials in Support of HMG Online Services' (https://www.gov.uk/government/publications/identity-assurance-enabling-trusted-transactions) so I'd start there if you're interested in more information about this.

      Link to this comment
  15. Michael

    This all sounds very impressive, and I have found the very informed comments and replies here interesting and helpful too.
    I'd be interested to know if it is or will be possible for firms and/or companies to sign up for an assured identity. Limited companies and PLCs are legal entities in thier own right (like people) but unincorporated firms are not - this may or may not affect the position.

    Link to this comment
    • Janet Hughes

      Hi Michael, thanks for your comment - I've found all the comments really interesting and helpful too.

      Yes, we are planning to allow people to sign in on behalf of companies and other types of organisation and we're in the early stages of planning how this will work.

      We've just finished a discovery exercise to understand the user needs for organisation identity and authority management (where one person acts on behalf of an organisation or another person). We'll be blogging more about what we found soon over on the identity assurance blog (https://identityassurance.blog.gov.uk/).

      Link to this comment
  16. Ross Orange

    Following this with some interest as a citizen who will probably, at some point in life, have to use at least one of these services (as it appears that that is the way forward).

    What I have not seen to date is what choice is being given to a citizen if, for what ever reason they may hold, they do not want to use any of these 'Identity Providers' yet have to use one of these services? Or will there be no choice?

    Link to this comment
    • Janet Hughes

      Hello Ross, thanks for your question. To use a digital service that needs to know that you are who you say you are, you would need to sign in using identity assurance so you would need to choose one of the identity providers. Our research so far suggests that people will be able to find a provider they are happy to choose. Part of the rationale for having multiple providers, rather than just one, is to give people a choice rather than only offering one possible provider (whether that's the government or a private sector provider). Over time we expect the number and range of providers to increase.

      Link to this comment
  17. Adam Aigey

    I understand the principle, but would like to pick up a few points which are unclear.

    Different levels of assurance for different services

    (1) If I used IDA to send a form but then, as an example, want to register for SA, I am presuming you need more information. Is this a re-register or can you provide additonal information? If it is a re-register has it to be with a different provider? Does this information superseed last?

    (2) Once registered and on logging do you then have to enrol for the services you want or do you do this as part of the intial IDA process? Again i guess the questions would be similar to (1), namely how do I add to these, do I need to provide more personal information, do I end up with passwords for my ID and then passwords for different services or do the services get addedd to my IDA password?

    I think what would help me is a screen slide pack as to what I would see and how I would use this.

    Provider

    What if I do not want to use third party and I want to register using Gov.uk - is this to be a possiblity? If not what if someone won't use third party, I am thinking of my mum here who wouldn't trust them not to do 'something' will they be excluded from using digial services in there own homw unless they do?

    Thanks

    Link to this comment
    • Janet Hughes

      Hello Adam, thanks for your questions.

      At first, identity assurance will only provide level of assurance 2. The first services to start using identity assurance will all require this same level of assurance. We will be starting work later this year on other levels of assurance, and that work will include looking at how the different levels will work form the point of view of a user.

      Once you've registered with an identity provider you'll be able to use your account to sign in to multiple government services. When you access a service that's using identity assurance, you'll be asked to either sign in, or register with an identity provider. You won't need multiple account names and passwords for different services.

      We're not planning that the government should be an identity provider - the approach is that there will be a number of certified companies that will do this work (see my answer to Ross's question earlier today on this issue).

      Link to this comment
      • Ross Orange

        Hi Janet,
        This is the sort of scenario I had in mind. There are numerous people - unfair to call them old - who, for whatever reason would perhaps not want to use any provider who the Government are paying. Perhaps due to the number of instances in the Press where they read of banks etc getting hacked. Whereas they probably see the Government, or what they provide, being secure...they have more to lose at the following election).

        It would be useful to see your research results, as you mentioned in your earlier reply, into what is driving this. I recall papers from the 1970,s and 80,s describing a single point of data submission for the Citizen - called the Government Gateway e.g. This where one notification of a change of address could be distributed to all those places that you need to inform.

        The point some folk may say is why is there a need for choice for an entry point when the Government Gateway has been adequate for so long (yeah it could do with tweaking!) and why should the Government pay them (when they say we should be stringent with Government spending!)

        A couple of devil may care questions. But I'm interested from a social angle and would like to see if population Geography has been used in any analysis and decision making.

        Link to this comment
  18. David Ramsay

    No mobile phone, how does the individual get a code?

    No passport, no driving licence, only got an national insurance number, so how will they verify?

    Link to this comment
    • Carrie Barclay

      Hi David

      At the moment you need a valid passport or a photocard version of the driving licence, and a mobile telephone to use GOV.UK Verify.

      GOV.UK Verify is a new service which is still in beta - that means we are still developing and expanding the service to allow more people to be able to use it. This work includes increasing the range of official records that certified companies can validate users’ data against, so that those without a driver licence or passport will still be able to verify their identity.

      See this blogpost which explains how we are going to expand the range of data sources that’s used by certified companies:https://identityassurance.blog.gov.uk/2014/12/01/data-sources/

      At least one certified company is planning to provide an alternative way for people who don’t want to use a mobile phone to receive a code when they authenticate. So if you want to use another method, other than a mobile phone, you’ll be able to choose a certified company that will enable you to do that.

      Link to this comment
  19. Darcy Ogston

    Can you Verify with more than one certified company? If so why would you and do the certified companies share the information between each other or must I be re-verified again?
    Some information is not static and changes such as address and name will the identity provider change them automaticaly or will I have to update them, if so how?

    Link to this comment
    • Louise Duffy

      Hi Darcy, thanks for your comment.

      You can choose as many different certified companies as you want. If you wish, you can register with different certified companies for different purposes. However, you’ll have to go through the registration process again for each one. Once you have a verified identity account with a certified company you can log into it at your convenience and keep your information up to date.

      Link to this comment