Online identity

This is a simplified history of UK Government initiatives over the past few decades to find ways for citizens and businesses to prove who they are when using online public services.

The developments discussed here draw upon my Digital Government and e-Government Archives, together with other public domain sources. Given the archives are now growing quite large, my aim is to help provide additional context on the specific topic of identity. This isn’t a comprehensive narrative of UK Government online identity, but provides a flavour of the main developments and policies over the past 20 or so years. It’ll be updated and improved from time to time.


Overview

Online public services often need to have proof of someone’s identity. Personal tax and welfare information for example, or medical records, require assurance that the person trying to access that information is really the person they claim to be – and that they have the right to access those records.

The 1998 Parliamentary Office of Science and Technology (POST) report “Electronic Government: Information Technologies and the Citizen” in February 1998 set out two opposing views of identity (illustrated below) which have essentially defined the issue of identity in the UK: an official government-backed identity card versus cultivating a marketplace of identity providers.

POST Identity 1998.png
Source: Jerry Fishenden based on the POST report

Trusted third parties and federated identity since 2000

The UK Government was an early adopter of the principle of federated identity as a means of tackling the provision of identity in a country with little history of national identity cards and central citizen registers. In the 1990s it experimented with outsourcing identity verification and credential management to various trusted third parties including Royal Mail, and Barclays and NatWest banks.

Based on experiences with this pioneering work, in 1999 the Government published a “framework for online authentication” for use by public sector services, with both public and private sectors envisaged as active participants in a marketplace of identity services. It became part of the e-government strategy published in April 2000. That original trust framework has evolved through numerous iterations into today’s Good Practice Guide 44 (quality/strength of the credential used for authentication) and Good Practice Guide 45 (identity proofing).

The 2000 authentication framework was the basis for the UK Government’s deployment in 2001 of the first cross-government, open standards identification and authentication platform – the Government Gateway’s ‘Registration and Enrolment’ (R&E) service. The R&E platform delegated identity services to a combination of competing private sector providers alongside public sector providers. R&E was the first identity platform to support the delegation, or outsourcing, of the provision of identity services – including to Royal Mail and the British Chambers of Commerce: a federated approach revived by the more recent GOV.UK Verify programme.

Identity cards to help prove identity

Another approach to identity was developed during the period from around 2004 to 2010, when identity cards were proposed as a so-called “gold standard” to tackle the issue of identity. This was not the first time identity cards have appeared in the UK – they were introduced in 1939 for the second world war via the National Registration Act, which established both a central register and the cards themselves. The National Registration Act of 1939 was repealed on 22 May 1952, after which it was no longer necessary to have an identity card.

The Identity Cards Act of 2006 saw their reintroduction after several years of preparation and debate. However, the out-dated design of the approach (mandating plastic cards in primary legislation, together with a central register containing a comprehensive mix of biographic and biometric data) generated notable criticism from security experts, lawyers, civil rights activists, IT and computer professionals and politicians.

UK identity card example.jpg
Source: UK Border Agency

The central register was designed to hold an extensive set of personal biographical data, and various biometrics (such as fingerprints, digitised facial scan and iris scans). It also aspired to map an individual to the various unique index numbers used in other parts of government – such as a citizen’s National Insurance Number (NINO) – to enable government’s disparate systems to be interconnected and linked to a “unique identity”. Whilst this was seen as a convenience for promoters of the approach, for others it represented a significant security flaw and breach of the long-established democratic separation of powers across various parts of government.

The incoming coalition government in 2010 repealed the Identity Cards Act via the Identity Documents Act. The focus once again swung towards the earlier model, with work starting in 2011 on the Identity Assurance Programme or IDAP (which later became the GOV.UK Verify programme). However, some elements of the approach taken with identity cards remained, notably the biometric residence permit (BRP) which provides evidence of the right to reside in the UK for non-UK nationals.

UK BRP sample.jpg

UK driving licences and passports have become the main official documents used to help prove identity, despite this not being the purpose of either of these documents. For those UK citizens without either a passport or driving licence, proving legal identity can be difficult.

Current situation and the role of standards

Some 23 or so years after the initial use of trusted third party providers for identity, a variety of initiatives are currently in play. The UK Government standards in use for identity proofing and authentication, developed in conjunction with CESG (now the NCSC), continue to draw on those first issued in 1999.

These standards provided the basis for the identity proofing and authentication credentials adopted by the Government Gateway’s identity and authentication platform when it launched in January 2001. The Government Gateway supported the use of third party assured identities via smart cards and digital certificates, including those issued by the Royal Mail (ViaCode) and British Chambers of Commerce (ChamberSign). Use of digital certificates provided both user authentication and electronic signatures in compliance with Directive 1999/93/EC of the European Parliament and of the Council on a European Community framework for electronic signatures, later adopted into UK law via the Electronic Signatures Regulations 2002. It also implemented the provisions of the Electronic Communications Act 2000. Some of these features of the Government Gateway identification and authentication platform are referenced in this 2011 blog about ‘Establishing trust in digital services‘ by the former head of the UK Government’s Digital Service (GDS).

The UK’s identity and authentication standards have regularly been updated since, the most notable exception being the period when the focus moved to ID cards. They were important inputs to the creation of the ISO/IEC 29115:2013 Entity Authentication Assurance Framework as well as the draft for identity proofing, ISO/IEC WD 29003:2013 (which covered the identity proofing and verification of persons, organisations, devices and software).

The latest versions of these standards are the Good Practice Guides relating to identity verification (GPG45) and credential strength (GPG44) , reflecting over two decades of work on UK identity-related standards. The more recent ISO/IEC 29003:2018 standard covers only individuals, a subset of digital identity requirements, unlike the earlier UK standards work and working draft ISO/IEC WD 29003:2013 standard from 2013

The Government Gateway platform for identity and authentication

The majority of government online services have continued to use the Government Gateway for user identification and authentication, across citizens, businesses and intermediaries. Although it has been in operation since 2001, HMRC has recently re-platformed it after a significant reinvestment.

The Government Gateway provides an open standards way of accessing services such as HMRC’s Self Assessment online using a UserID and password, enhanced with two-factor authentication via a time-based code either sent to a registered user’s phone, or generated by an authenticator application running on the user’s mobile phone. The original Government Gateway was an early example of the benefits of agile development in major programmes, with both the Registration and Enrolment platform and the Transaction Engine platform built and delivered into live service in a three month period from late 2000 into early 2001.

The Government Gateway at launch supported a range of trusted third party identity providers, including the British Chambers of Commerce and Royal Mail. Individuals and businesses could choose to prove their identity via a third party rather than using a Government Gateway issued authentication credential. This press release from 2001 describes how Royal Mail were aiming to achieve tScheme accreditation for their identity services.

At the technical level, the Government Gateway provided a SAML (Security Assertion Markup Language) hub, the same approach adopted over a decade later by GOV.UK Verify. It provided support for digital certificates (together with W3C digital signatures) and, later, EMV (chip and PIN card) authentication. With the recent re-platforming by HMRC, I understand that Government Gateway services now also support OAuth. Under the EU’s Stork (secure identity across borders linked) initiative for interoperable eID between EU member states, the Government Gateway became the UK’s designated national interoperability connection.

At launch in 2001 third-party authentication credentials, using t-scheme accredited digital certificates, were accepted by the Government Gateway alongside government-issued credentials

The Government Gateway identification and authentication platform also provided support for the authentication of transactions via government APIs (system interfaces). These enable, for example, an accountant to use their credential to sign and submit a tax or VAT return via their accounting software. It is unclear the extent to which Verify supports APIs (e.g. for the authentication of transactions or data submitted to one or more departments or processes).

Support for trusted third parties and government identity services via the Government Gateway SAML hub

The Government Gateway remains the main way across UK government for individuals, businesses and intermediaries (those acting on behalf of others, such as accountants or those holding Power of Attorney) to authenticate to public services. The 2017 National Audit Office report on Digital Transformation in Government noted that it “currently hosts 138 live public sector services, and … is being improved“.

Verify identity assurance framework

From 2011 onwards, the government pursued what later became known as the Verify identity assurance programme. It aimed to enable both private and public sectors to trust an online identity so that citizens could re-use it across multiple service providers, essentially adopting the same approach that the original authentication framework, tScheme and Government Gateway model had over a decade earlier. The Verify initiative has thus been the latest iteration of the standards-based frameworks and trusted third party approach adopted by UK government since the late 1990s.

GOV.UK Verify hub

The GOV.UK Verify hub was developed in-house by the Government Digital Service. It was originally intended to replace the Government Gateway. However, after 6 years of development, the NAO reported that “In February 2017, 12 services were using Verify” of which 9 also allow access by other means.

Verify has a successful completion rate across all services by citizens of between around 35-50% according to the Verify hub’s performance dashboard (the current success rate at the time of writing is around 35%, as can be seen here). The plans set out in the Government Transformation Strategy of 9 February 2017 aimed to deliver 25m users of this system by 2020 – although only around 5m accounts had been created by that time.

Unlike the Government Gateway, the Verify central hub only supported individuals and not businesses or those with delegated authority (acting on behalf of others). It was therefore unable to support the many citizens who need to delegate authority – for example, to an accountant to do their tax return, or to exercise Power of Attorney on behalf of an ill relative. This may in part have contributed to the difficulty of reaching its planned 25m users by 2020 given the range of essential user needs not met and the lack of any obvious migration path for users of existing Government Gateway identity services. I understand from former members of the Verify team that the programme was subject to repeated descoping, effectively undermining its viability.

A summary overview of the various GOV.UK Verify IDPs over time

Other Verify compliant hubs

The GOV.UK Verify hub is intended for the use of government service-related users only. However, since the Verify identity assurance framework was aimed at ensuring standards and interoperability across private and public sectors, for those outside of government an ecosystem of other Verify compliant hubs was being encouraged. OIX (Open Identity Exchange) for example published work with the States of Jersey using a cloud-based Verify-compliant hub. It encountered similar difficulties of usability and take-up to those encountered by the central UK government Verify hub, noting that:

At this stage, there are still some concerns as to whether the target 90% plus of citizens and residents could successfully be verified online. The experience borne out in the UK does nothing to alleviate this, although Jersey could consider a variance to the UK identity proofing and verification standards to place greater emphasis on government data sources and less on financial information.

Other online identity initiatives

There are various other identity initiatives, including within the NHS (for patients to access their medical records, book appointments with their GP and manage prescriptions) with NHS login and its associated app. NHS Login also supports approved third party app providers. A wide range of identity and authentication implementations exist across both public and private sectors. While the Government Gateway was once intended as the consistent, cross-government platform for identification and authentication (regardless of whether public or trusted private sector providers ran the underlying identity and authentication services), the current landscape comprises a wide range of identity services, each specific to their own need (e.g. NHS, local authority, HMRC, DWP, other organisations).

European Union (EU) identity interoperability

The UK also has an interest in ensuring its approach to online identity works more widely than solely within UK national borders. There have been various initiatives to establish interoperability between the digital identity initiatives of member states of the EU. Notable amongst these are:

  • STORK: (Secure idenTity acrOss boRders linKed) which was a pilot scheme announced in 2008 and co-funded by the EU aiming to implement EU-wide interoperability of electronic identities (eIDs). The pilot work tested several existing national eID applications, including the UK Government Gateway and Belgium’s LIMOSA portal. The GOV.UK Verify team, in a blog from 2014, announced that they too would be working to develop interoperability with STORK as part of the earlier original intention to replace the Government Gateway.
  • eIDAS: (electronic IDentification, Authentication and trust Services), an EU regulation setting out standards for electronic identification and trust services for electronic transactions in the European Single Market. It is modelled in part on the earlier UK work with standards and cross-government authentication hub (the Government Gateway). Despite Brexit, the UK appears to be aiming for compliance with eIDAS in order to remain compatible with the systems of EU member states. Some details of earlier work on eIDAS compliance were provided by the GOV.UK Verify team in a blog post in 2014, with some updates in November 2015 and December 2015.
  • PSD2: (the second Payment Services Directive), a notable evolution of existing regulation established for the payments industry to update the original 2007 Payment Services Directive. Most of its provisions took force in January 2018. It includes stronger requirements around customer authentication, protection and security. It is an important component of the work to develop a Single Digital Market in the EU.

Key identity policies and initiatives 1997-2020

Below is a brief chronology of some of the main developments around identity in the UK since 1997.

1997

1997 saw the UK Government attempt to streamline and improve the online experience of government services with the Intelligent forms project (“iForms”). iForms enabled a user to fill in one single online form and sign it digitally with their smartcard prior to submission. This Smartcard News from December 1997 contains some details about the work.

The smart online form – the iForm – removed duplication and unnecessary bureaucracy from the paper process. For example, the user only needed to enter their personal details once rather than three times. In the case of the initial iForms project, the programme took numerous paper forms related to registering for self employment and re-designed them as a single smart (“intelligent”) online form, significantly reducing the amount of repetitive data previously required from the user. Appropriate data from the form was then parsed and sent to the three relevant departments – Inland Revenue, HM Customs and Excise (both now merged into HMRC), and the Department of Social Security’s Contributions Agency (now part of DWP).

This 1997 work is an early example – possibly the first? – of the UK government using a trusted third party identity provider, namely NatWest bank, for citizen identification and access to online public services.

1999

The 1999 report e-commerce@its.best.uk set out proposals to use trusted service providers to help identify and authenticate citizens and businesses online. At the time it was assumed that smart cards would play a major role in providing a secure credential for citizens and businesses to use for “e-commerce”. The Smart Card Framework Version 1.0 of December 1999 observed that:

Smart cards can be used for applications such as electronic purses and credit and debit cards, for ID and access control, to hold official documents, for data storage, in mobile phones, and to digitally sign documents to prove integrity and authenticity.

p.1

In a sense, the UK was thus in the late 1990s on a similar trajectory to that later successfully adopted by the Estonian government – using smartcards to prove identity and access services via a common, interoperable cross-government platform infrastructure. However, the major difference was that the UK explicitly encouraged the use of trusted third party providers rather than the UK Government being the sole issuer of identity credentials. The UK’s approach also enabled users to obtain credentials from more than one provider should they wish (e.g. to have multiple smartcards from different issuers), in the same way many people choose to have credit cards from more than one financial provider. However, when the third party identity services market failed in the early 2000s, so too did plans to base the UK’s approach around smartcards.

The Authentication Framework 1.0 of 1999 set out the authentication framework for “Information Age Government”. It established a framework for authentication of online dealings with providers of public sector services, covering broadly the scope of what is now Good Practice Guide 44 and Good Practice Guide 45 (i.e. proofing of identity and quality of credential used for authentication). It illustrates the intent of the UK government to have third party identity providers (now more generally referred to as IDPs) as part of the overall landscape for access to online public services. In later revisions it became known as the “Registration and Authentication Framework”.

2000

In May 2000, the tScheme initiative was formally incorporated as an independent limited company. tScheme has been an important element of the use of trusted third parties to undertake identity assurance. Its members have worked to develop and implement a trusted scheme for industry self-regulation and its work has underpinned both the 2001 Government Gateway initiative as well as more recent similar work on Verify.

The UK Online Annual Report of September 2000 noted that:

Progress towards higher level services for government electronic service delivery will crucially depend on the development of appropriate electronic authentication and security processes for use by businesses and citizens.

And that:

To ensure that this can take place the Government will need to:

– work with a range of trusted service providers, to ensure interoperability with government processes; and

– identify where the marketplace is adopting suitable technologies for secure transactions and access, and ensure that the Government makes full use of these to meet electronic service delivery targets.

The e-government Authentication Framework of December 2000 set out a framework focused on:

the authentication of citizens and businesses seeking to access government services electronically. It applies in circumstances where government needs to have trust in the identity of those it is dealing with to ensure that there is no breach of privacy or confidentiality, or other harm. The Framework provides for those cases where anonymous or psuedonymous access is also acceptable.

And went on to state that:

For most electronic transactions, government will accept authentication provided by accredited third parties, which will register individuals and organisations and issue them with credentials enabling them to authenticate themselves in subsequent transactions.

2001

The e-Envoy’s monthly report to the Prime Minister from 5th February 2001 described the successful launch of the Government Gateway as a:

… piece of secure infrastructure with intelligent routing and authentication …

delivered

… in a compressed timescale, using rapid deployment methods to build a fully functional system in 3 months.

A Cabinet Office press release on 7 February 2001 stated that the Government Gateway would:

… offer citizens and businesses a single authentication service for all government transactions, such as sending in tax forms. Once a user has successfully registered, they will be able to access services from different Departments using a common user ID or digital certificate.

In the Registration and authentication. E-government strategy framework policy and guidelines of 2 November 2001, the Cabinet Office set out guidance for security requirements related to the provision of registration and authentication services to support access to e-government services. It noted that:

Government will encourage the provision of authentication services by a variety of bodies, including local authorities and the private sector, and will seek to make use of these services wherever possible. Government welcomes the proposed t-Scheme for accreditation of trust service providers

And went on to say that:

The Modernising Government white paper makes clear government’s intention to work in partnership with local authorities, the voluntary sector, and with third-party delivery channels such as the Post Office and private sector companies. Where third-party service providers are conducting transactions on government’s behalf, they will be required to authenticate the citizens and businesses they deal with to the same standards as government itself would. Government will in turn accept transaction data from those service providers, who will certify that they have carried out the authentication transaction to the agreed standard.

2002

The Trust Services policy paper of September 2002 addressed security requirements related to the provision of trust services to support access to e-Government services. It set out a number of trust levels for registration and authentication in e-government transactions. In particular it

is concerned with the registration and authentication of citizens and organisations seeking to access government services electronically. It applies in circumstances where government needs to have trust in the identity (real-world or otherwise) and authority of those it is dealing with to ensure that there is no breach of privacy or confidentiality, theft/misuse of data, or other harm. The framework includes those cases where anonymous or pseudonymous access is acceptable.

It again emphasised that the government approach was to be through the use of third parties, including obligations on those third parties for registration and authentication and their associated trust models, with more detail provided in the companion Registration and Authentication paper.

The Channels framework. Delivering government services in the new economy of 30th September 2002 established that government services could be delivered either directly by public sector organisations, or indirectly using intermediaries. It stated that:

Service delivery in an inclusive and integrated manner is an essential commitment of this programme.

Good channel strategies in the new era will leverage electronic channels to help to:

– deliver public services that are high quality and efficient

– make sure that public service users, not providers, are the focus, by matching services more closely to citizens’ lives

– support the infrastructure to get the UK online by the provision of joined-up services

And emphasised that:

Reaping the benefits of a joined-up channel strategy requires organisations to move to a model where services are built around customer needs and not organisational structures.

2003

Several pieces of updated guidance were published in January, including the second versions of HMG’s Minimum Requirements for the Verification of the Identity of Individuals, and HMG’s Minimum Requirements for the Verification of the Identity of Organisations.

In addition, the Policy Framework for a mixed economy in the supply of e-government services. A consultation document of May identified that the government strategy was to:

… create a mixed economy – a marketplace where government, private and voluntary sectors can come together to deliver e-Government services that better meet the demands of our customers.

and foresaw the desire for

a mixed economy in the supply of public services, where consumers (citizens & businesses) can engage intermediaries from the public, private or voluntary sectors to use public services in the manner that suits them.

2006

The Liberty Alliance – described as “a global organisation for organisations and companies interested in improving online accessibility and security through the development of open standards and related guidance” – recognised the Government Gateway with the annual Liberty Alliance Awards in October. (The Liberty Alliance was succeeded by the Kantara Initiative in 2009).

The Government Gateway was recognised for

outstanding work around open, interoperable authentication in the e-government sector

and for enabling customers to

sign up for many of the online UK Government services using a single user-identity and password. It also enables online services that are secure and allow people to use the internet for things like filing tax returns and applying for benefits. There are now well over 9 million registered users on the Government Gateway.

It also noted that

The Gateway architecture and the authentication protocols include the means to preserve the privacy of citizens as they authenticate to different service providers

2006 is also notable for the appearance of a very different approach to identity: the Identity Cards Act, which received Royal Assent on 30 March. The Act specified the creation of UK national identity cards (to serve as a personal identification document and European Union travel document) linked to a database known as the National Identity Register (NIR). The introduction of the cards and NIR represent the alternative model originally identified by POST, with government assuming control over identity – a very different approach to the efforts since 1997 to use trusted third parties as part of the identification and authentication process.

2007

A report in November from the former National Computing Centre, Identity management, trust and security online, provided a summary of the identity assurance landscape at the time. It noted that the UK was in a good position because of its existing policies and mature infrastructure, and in particular:

[the Government] Gateway has an excellent opportunity to become a significant player in the citizen, business and agent Identity Provider marketplace and more. For example, its services could extend to Identity Provider services for managing government contractor and employee access to internal government systems. (p.10)

At a public event in April of 2007, the Cabinet Office’s e-Delivery Team and others provided a series of presentations on the state of play. This included a presentation on The Government Gateway. UK Best Practice on Infrastructure and Identity Management.

2008

In March, Sir James Crosby, who had been tasked by the Chancellor with looking at the issue of identity in 2006, released his report Challenges and opportunities in identity assurance. It considered how both public and private sectors could potentially work together on identity issues for their mutual benefit and that of citizens and consumers. It commented that

those countries with the most effective ID assurance systems and infrastructure will enjoy economic and social advantage, and those without will miss an opportunity. There is a clear virtuous circle. The ease and confidence with which individuals can assert their identity improves economic efficiency and social cohesion, which in turn leads to a greater number of transactions being reliant on such ID systems, further enhancing delivery of economic and social goals.

The report set out the case for a “universal identity assurance scheme”.  It also said that:

A consumer-led universal scheme would better deliver on national security goals than any scheme with its origins in security and data sharing.

Its overall tone aligned with the work since 1997 to establish a trusted framework for identity assurance that could work across both private and public sectors. It set the benchmark for such a scheme as being to:

  • meet consumer’s need to assert their identity easily and confidently
  • inspire their trust
  • be seen to offer superior levels of assurance.

In parallel with these various developments , the Government Gateway continued to be iteratively enhanced. The Employee Authentication Services (EAS) (Powerpoint format) was described in May 2008 as a common trust framework able to work across central and local government. And the UK Government Gateway Remote Authentication approach in October 2008 included chip and PIN authentication for the Ministry of Defence.

The latter illustrated the ability of the Government Gateway to enable third party authentication using industry standard EMV chip and PIN cards (such as those used by most banks). It highlights the way the Gateway’s identity and authentication platform was designed as a pluggable, open standards architecture supporting a range of trusted identity providers and technologies across both public and private sectors.

2009

In April 2009, the Identity and Passport Service published Introducing the National Identity Service. How the Service will work and how it will benefit you to explain the purpose of the new UK identity cards and National Identity Register (NIR). It summarised the need for the programme as follows:

Today people have to use a variety of documents to prove their identity: passports, driving licences, birth certificates, utility bills, etc. However, none of these are officially identity documents and, furthermore, you will often need to use more than one of these documents to prove that you are who you say you are. Sometimes, using these documents requires you to give away more personal information than is necessary or desirable – details on your bank statement for example.

An identity card will offer a useful and more convenient way for an individual to prove their identity in a wide variety of circumstances. Depending on the level of identity assurance required for a particular transaction, an individual’s identity will either be checked visually, through entry of a PIN number or by checking fingerprints via a chip on the card, or for the highest level of assurance, a check against the National Identity Register (NIR).

In common with cards in other European countries, the identity card will also allow you to travel within Europe without the need for a passport.

Despite work on ID cards and the associated NIR, work also continued in parallel on the long-standing approach to use of third parties, as the Department for Work and Pensions (DWP) presentation on Authentication (Powerpoint format) from September illustrates.

The presentation shows the various common cross-government platforms operating under the Government Gateway brand – such as the Payments Engine, Secure Mail, Secure Transaction Engine, Transaction Orchestration, Alerts (Notifications), and Strong Authentication – providing a suite of cross-government services. It indicates that there were 17m service users and 90 authenticated services at the time, with authentication services being used by citizens, businesses, government employees and EU and foreign nationals. The presentation goes on to illustrate how online authentication services could include support for the National ID Card if required – notably for what it refers to as ‘Gold Identity’.

In December, the Technology Strategy Board hosted a meeting at BIS (the Department for Business, Innovation and Skills) on Trust in electronic transactions: an opportunity to change the landscape. The objective of the workshop was to shape the scope of an £8m Technology Strategy Board competition to be launched in early 2010.

2010

This year saw the repeal of the Identity Cards Act courtesy of the Identity Documents Act.

2011

On the 18th May 2011, Francis Maude MP (Minister for the Cabinet Office and Paymaster General) made a statement to Parliament on identity assurance. His statement started with the announcement that:

The Government agreed on 14 March 2011 to the development of a consistent, customer-centric approach to digital identity assurance across all public services. This will allow service users to log on safely to digital public services in a way that ensures personal privacy, reduces fraud and facilitates the move to online public services.

And also went on to say:

Our intention is to create a market of accredited identity assurance services delivered by a range of private sector and mutualised suppliers. A key improvement will be that people will be able to use the service of their choice to prove identity when accessing any public service. Identity assurance services will focus on the key imperative to ensure privacy. My Department is leading the project to develop the design and the creation of the market within the private sector. By October 2011 we expect to have the first prototype of the identity assurance model to test with transactional Departments and public sector identity assurance services, with a date for implementation from August 2012.

These announcements broadly echoed the same policy and intent that that the UK had been following since the late 1990s.

2012

A variety of updated identity assurance documents were published from 2012 onwards, updating the range of earlier documentation published over the years since the original Authentication Framework of 1999. These documents on Identity assurance: delivering trusted transactions updated guidance on topics such as Authentication credentials for online government services and Identity proofing and verification of an individual.

2013

The Parliamentary Office of Science and Technology (POST) report of April, Managing Identity Online, provides a useful summary of the state of play around identity. It points out that:

Privacy and security are key concerns of the Identity Assurance Programme. The IDAP is developing a model which aims to address these concerns. It is engaging with an independent Privacy and Consumer Advisory Group comprising external stakeholders to work on this issue. It is also working with the Government’s National Technical Authority for Information Assurance to ensure that the model meets security requirements.

2014

In September 2014, the Privacy and Consumer Advisory Group (PCAG) published version 3.1 of their Identity Assurance Principles. Nine guiding principles for any government identity assurance scheme were set out by the group:

PCAG principles.png
High level summary of the Privacy and Consumer Advisory Group (PCAG) Identity Assurance Principles

2015

The page “Introducing GOV.UK Verify” was originally published by the Government Digital Service in June 2015 and provided an overview of and introduction to the Verify programme (formerly known as the Identity Assurance Programme, or IDAP). As with most of GOV.UK, there is no page history or version control record meaning it is impossible to track how it developed over time. However, this here (PDF) is a copy of how it looked at the time according to the Wayback Machine, (or this is a direct link to the Wayback Machine site capture from 2015). You can see the current iteration of the page here.

October also saw the first public release of various “Good Practice Guides” (available internally since 2012 in various iterations), the latest version of guidance in areas such as identity proofing and verification of an individual, published by CESG and the Cabinet Office – updating the authentication guidance provided by the UK Government from 1999 onwards.

2016

This summary comparison table compares high level features of the original Government Gateway SAML hub and the GOV.UK Verify SAML hub, showing differences in functionality and scope.

2017

In February, the Cabinet Office published its Government Transformation Strategy. One of the targets listed for 2020 was:

making better use of GOV.UK Verify by working towards 25 million users by 2020 and exploring options for delivery of identity services for businesses and intermediaries

It also notes that:

GOV.UK Verify allows people to use one account to prove their identity online securely for government services. GDS will work with the private sector to enable people to use the same account, which meets high government standards, to prove their identity online for private sector services, such as opening a bank account without having to go into a branch.

2018

In October, Oliver Dowden, MP (Minister for Implementation), announced to the House of Commons the end of government investment in the GOV.UK Verify programme, stating that it is “the last investment that the Government will provide to directly support the GOV.UK Verify programme.”

2020

In April, Computer Weekly reported that DWP will start to use the Government Gateway for Universal Credit – “Existing users of HMRC’s digital identity system can use their credentials to apply for benefits, in a move designed to ease bottlenecks caused by Gov.uk Verify performance problems.” It’s understood that being able to work with multiple identity services is part of the work DWP has been doing on their ‘dynamic trust hub’.

Contrary to the 2018 Ministerial announcement to Parliament, Michael Gove MP (Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office) announced to the House of Commons a further extension of the GOV.UK Verify programme in April. Computer Weekly reports that the additional extension comes with strict HM Treasury conditions, including:

  • that Verify must not add any further online services beyond the 22 that currently use it
  • that GDS must ensure that all existing services are no longer solely dependent on Verify for digital identity by the end of the 18-month extension period

Summary

There remains a variety of approaches to identity assurance across the public and private sectors, which is not surprising — different organisations, services and users have differing needs. One size will never fit all, as has long been recognised, hence the efforts to secure a pluggable architecture of identity (and attribute) providers over the past few decades.

DWP’s Dynamic Trust Hub looks like a useful development. In a sense it seems to be a continuation of the original vision that multiple providers of identity services, both public and private sector, should be able to plug in and participate, provided they meet agreed standards.

The UK recognises the need to move on from the monolithic “identity” assurance standards that have prevailed since 1999 – to include attribute-level assurance for example. Any updated approach will need to welcome and embrace the numerous live services, developments and frameworks already in place (from Open Banking to NHS Login, and from individual private sector identity apps to the Home Office’s EU Settled Status app and the Scottish Government’s work). Any new or updated framework for trusted identity and attributes should focus on practical ways of helping to assure trust and interoperability in a way that fits demand and incorporates the many existing models and standards that already exist. There is much good work already in place – what it currently lacks is effective orchestration.

As I have commented elsewhere

It’s important for the future of online services that government helps nurture a robust, trusted, secure and viable approach to identity assurance that can work right across our digital economy. So it’s worth making time right now to do an honest, open and public reset to get this right.

Last updated: June 2020. First published online June 2017.