This is a potted and simplified history of UK government initiatives over the past few decades to find ways for citizens and businesses to prove who they are when using online public services.
The developments discussed here draw upon my Digital Government and e-Government Archives, together with some other public domain sources. Given the archives are now growing quite large, the aim is to help provide additional context on the specific topic of identity. This isn’t a comprehensive narrative of UK government online identity, but intended to provide a flavour of the key developments and policies over the past 20 or so years. It’ll be updated and improved from time to time.
Online public services often need to have proof of someone’s identity. Personal tax and welfare information for example, or medical records, require assurance that the person trying to access that information is really the person they claim to be – and that they have the right to access those records.
The 1998 Parliamentary Office of Science and Technology (POST) report “Electronic Government: Information Technologies and the Citizen” in February 1998 set out two opposing views of identity (illustrated below) which have essentially defined the issue of identity in the UK: an official government-backed identity card versus cultivating a marketplace of identity providers.
Third parties to help prove identity
The UK has experimented since at least 1997 with the use of third parties to help prove identity. These various attempts to use trusted service providers (TSPs) or identity providers (IDPs) from 1997 onwards are discussed in more detail in the Key identity policies and initiatives below.
Identity cards to help prove identity
Another approach to identity was developed during the period from around 2004 to 2010, when identity cards were proposed as a so-called “gold standard” to tackle the issue of identity. This was not the first time identity cards appeared – they were introduced in 1939 for the second world war via the National Registration Act, which established both a central register and the cards themselves. The National Registration Act of 1939 was repealed on 22 May 1952, after which it was no longer necessary to have an identity card.
The Identity Cards Act of 2006 saw their reintroduction after several years of preparation and debate. However, the out-dated design of the approach (mandating plastic cards in primary legislation, together with a central register continuing a rich mix of biographic and biometric data) generated notable criticism from security experts, lawyers, civil rights activists, IT and computer professionals and politicians.
Part of the idea of the central register was that it would hold an extensive set of personal biographical data, and various biometrics (such as fingerprints, digitised facial scan and iris scans). It would also map an individual to the various unique index numbers used in other parts of government – such as a citizen’s National Insurance Number (NINO) – to enable these disparate systems to be interconnected and linked to a “unique identity”. Whilst this was seen as a convenience for promoters of the approach, for others it represented a significant security flaw and breach of citizens’ privacy.
The incoming coalition government in 2010 repealed the Identity Cards Act via the Identity Documents Act. The focus once again swung towards the alternative model, with work starting in 2011 on an identity assurance programme initially called the Identity Asurance Programme or IDAP (it was later renamed “GOV.UK Verify”). However, some elements of the approach taken with identity cards have remained, most notably the biometric residence permit (BRP) which provides evidence of the right to reside for non-UK nationals.
UK driving licences and passports are the main official documents used to help prove identity, despite this not being the purpose of either of these documents. For those UK citizens without either a passport or driving licence, proving identity can be difficult.
Some 20 years after the initial use of third party providers for identity proving, a variety of initiatives are currently in play. The standards used for identity proofing and authentication were first issued in 1999. They have regularly been updated since, apart from during the period when the focus moved to ID cards instead. The current Good Practice Guides relating to identity verification (GPG45) and credential strength (GPG44) are the latest versions, reflecting 20 years of work around identity-related standards.
The Government Gateway
The majority of central government online services currently use the Government Gateway for identification and authentication. It has been in operation since 2001, although HMRC has recently re-platformed it. The Government Gateway provides an open standards-based means of accessing services such as HMRC’s Self Assessment online using a UserID and password, more recently also enhanced with two-factor authentication via a time-based code either texted to a registered user’s phone, or generated by an application running on the user’s mobile phone.
The Government Gateway at launch also supported a range of third party identity providers, including the British Chambers of Commerce and Royal Mail. This enabled individuals and businesses to prove their identity via a third party if they wanted to rather than using a Government Gateway issued credential. This press release from 2001 for example shows that Royal Mail were aiming to achieve tScheme accreditation for their identity services.
At the technical level, the Government Gateway used the same standards adopted by the more recent GOV.UK Verify hub – SAML (the Security Assertion Markup Language), although it also had support for digital certificates (and W3C digital signatures) and EMV (chip and PIN card) authentication. The digital signature standards were compliant with the EU’s Electronic Signatures Regulations. With the recent re-platforming by HMRC, it has now moved from SAML to OAuth.
The Government Gateway identification and authentication services also support the authentication of transactions with government APIs (system interfaces) – such as, for example, the way an accountant can sign and submit a transaction via their accounting software. It is unclear the extent to which Verify currently supports APIs for transactions.
The Government Gateway provides a way for individuals, businesses and intermediaries (those acting on behalf of others, such as accountants or those holding Power of Attorney) to authenticate to government services. The recent National Audit Office report on Digital Transformation in Government noted that it “currently hosts 138 live public sector services, and … is being improved“.
Verify identity assurance framework
Since 2011, the government has been pursuing what is now referred to as the Verify identity assurance framework. This aims to establish a set of standards that will enable both private and public sectors to trust an online identity so that citizens can re-use it across multiple service providers, adopting the same approach as the original authentication framework/tScheme/Government Gateway model. This work represents the latest iteration of the use of standards-based frameworks and trusted third parties by UK governments, work that has been developing since the late 1990s. When the ID assurance programme started in 2011 it drew upon the experiences of the identity assurance frameworks, standards and systems that had been developed and implemented over the years.
GOV.UK Verify hub
The GOV.UK Verify hub was developed in-house by the Government Digital Service and originally intended to replace the ageing Government Gateway with a Verify identity assurance framework-compliant system. After 6 years of development, the NAO reported that “In February 2017, 12 services were using Verify” of which 9 also allow access by other means. It currently has a successful completion rate across all services by citizens of around 38-50% according to the Verify hub’s performance dashboard (the current success rate can be seen here). The plans set out in the Government Transformation Strategy of 9 February 2017 aim to deliver 25m users of this system by 2020.
Unlike the Government Gateway, according to the GOV.UK Verify hub team the Verify central hub supports only individuals and not businesses or agents. It is therefore unclear how the Verify hub can support the many citizens who need to delegate authority – e.g. to an accountant to do their tax return, or to exercise Power of Attorney on behalf of an ill relative for example. This makes the idea of reaching 25m users by 2020 a difficult target given the range of user needs not currently met.
Other Verify compliant hubs
The GOV.UK Verify central hub is intended for the use of government service-related users only. However, since the Verify identity assurance framework is aimed at ensuring standards and interoperability across private and public sectors, for those outside of government an ecosystem of other Verify compliant hubs is being encouraged. OIX (Open Identity Exchange) for example has published work done with the States of Jersey using a cloud-based Verify-compliant hub. It encountered similar difficulties of usability and take-up to those being encountered by the central UK government Verify hub, noting that:
At this stage, there are still some concerns as to whether the target 90% plus of citizens and residents could successfully be verified online. The experience borne out in the UK does nothing to alleviate this, although Jersey could consider a variance to the UK identity proofing and verification standards to place greater emphasis on government data sources and less on financial information.
Other online identity initiatives
There are various other identity initiatives, including Patient Access within the NHS (for patients to access their medical records) with the launch of NHS login and its associated app, and a multitude of approaches by local authorities and others across both public and private sectors. While the Government Gateway was once intended as the consistent, cross-government platform for identification and authentication (regardless of whether public or private sectors provided the underlying user services), the current landscape now sees a wide range of identity services, each specific to their own need (e.g. NHS, local authority, other organisations).
European Union (EU) identity interoperability
The UK also has an interest in ensuring its approach to online identity works more widely than solely within UK national borders. There have been various initiatives to establish interoperability between the digital identity initiatives of member states of the EU. Notable amongst these is:
- STORK: (Secure idenTity acrOss boRders linKed) which was a pilot scheme announced in 2008 and co-funded by the EU aiming to implement EU-wide interoperability of electronic identities (eIDs). The pilot work tested several existing national eID applications, including the UK Government Gateway and Belgium’s LIMOSA portal. The GOV.UK Verify team, in a blog from 2014, announced that they too would be working to develop interoperability with STORK.
- eIDAS: (electronic IDentification, Authentication and trust Services), an EU regulation setting out standards for electronic identification and trust services for electronic transactions in the European Single Market. It is modelled in part on the earlier UK work. Despite Brexit, the UK appears to be aiming for compliance with eIDAS in order to remain compatible with the systems of EU member states. Some details of earlier work on eIDAS compliance were provided by the GOV.UK Verify team in a blog post in 2014, with some updates in November 2015 and December 2015.
- PSD2: (the second Payment Services Directive), a notable evolution of existing regulation established for the payments industry to update the original 2007 Payment Services Directive. Most of its provisions take force from January 2018. It includes stronger requires around customer authentication, protection and security. It is an important component of the work to develop a Single Digital Market in the EU.
Key identity policies and initiatives
1997 saw the UK Government attempt to streamline and improve the online experience of government services with the Intelligent forms project (“iForms”). iForms enabled a user to fill in one single online form and sign it digitally with their smartcard. This Smartcard News from December 1997 contains some details about the work.
The smart online form – the iForm – removed duplication and unnecessary bureaucracy from the paper process. For example, the user only needed to enter their personal details once rather than three times. In the case of the initial iForms project, the programme took numerous paper forms related to registering for self employment and re-designed them as a single smart (“intelligent”) online form, significantly reducing the amount of repetitive data previously required from the user. Appropriate data from the form was then parsed and sent to the three relevant departments – Inland Revenue, HM Customs and Excise (both now merged into HMRC), and the Department of Social Security’s Contributions Agency (now part of DWP).
This 1997 work is an early example – possibly the first? – of the UK government using a third party identity provider, namely NatWest bank, for citizen identification and access to online public services.
The 1999 report firstname.lastname@example.org set out proposals to use trusted service providers to help identify and authenticate citizens and businesses online. At the time it was assumed that smart cards would play a major role in providing a secure credential for citizens and businesses to use for “e-commerce”. The Smart Card Framework Version 1.0 of December 1999 observed that:
Smart cards can be used for applications such as electronic purses and credit and debit cards, for ID and access control, to hold official documents, for data storage, in mobile phones, and to digitally sign documents to prove integrity and authenticity.
The Authentication Framework 1.0 of the same year set out the authentication framework for “Information Age Government”. It established a framework for authentication of online dealings with providers of public sector services, covering more broadly the scope of what is now Good Practice Guide 44 and Good Practice Guide 45 (i.e. proofing of identity and quality of credential used for authentication). It illustrates the intent of the UK government to have third party identity providers (now more generally referred to as IDPs) as part of the overall landscape for access to online public services. In later revisions it became known as the “Registration and Authentication Framework”.
In May 2000, the tScheme initiative was formally incorporated as an independent limited company. tScheme has been an important element of the idea of using trusted third parties to undertake identity assurance. Its members have worked to develop and implement a trusted scheme for industry self-regulation and its work has underpinned both the 2001 Government Gateway initiative as well as more recent work on Verify.
The UK Online Annual Report of September 2000 noted that:
Progress towards higher level services for government electronic service delivery will crucially depend on the development of appropriate electronic authentication and security processes for use by businesses and citizens.
To ensure that this can take place the Government will need to:
– work with a range of trusted service providers, to ensure interoperability with government processes; and
– identify where the marketplace is adopting suitable technologies for secure transactions and access, and ensure that the Government makes full use of these to meet electronic service delivery targets.
The e-government Authentication Framework of December 2000 set out a framework focused on:
the authentication of citizens and businesses seeking to access government services electronically. It applies in circumstances where government needs to have trust in the identity of those it is dealing with to ensure that there is no breach of privacy or confidentiality, or other harm. The Framework provides for those cases where anonymous or psuedonymous access is also acceptable.
And went on to state that:
For most electronic transactions, government will accept authentication provided by accredited third parties, which will register individuals and organisations and issue them with credentials enabling them to authenticate themselves in subsequent transactions.
The e-Envoy’s monthly report to the Prime Minister from 5th February 2001 described the successful launch of the Government Gateway as a:
… piece of secure infrastructure with intelligent routing and authentication …
… in a compressed timescale, using rapid deployment methods to build a fully functional system in 3 months.
A Cabinet Office press release on 7 February 2001 stated that the Government Gateway would:
… offer citizens and businesses a single authentication service for all government transactions, such as sending in tax forms. Once a user has successfully registered, they will be able to access services from different Departments using a common user ID or digital certificate.
In the Registration and authentication. E-government strategy framework policy and guidelines of 2 November 2001, the Cabinet Office set out guidance for security requirements related to the provision of registration and authentication services to support access to e-government services. It noted that:
Government will encourage the provision of authentication services by a variety of bodies, including local authorities and the private sector, and will seek to make use of these services wherever possible. Government welcomes the proposed t-Scheme for accreditation of trust service providers
And went on to say that:
The Modernising Government white paper makes clear government’s intention to work in partnership with local authorities, the voluntary sector, and with third-party delivery channels such as the Post Office and private sector companies. Where third-party service providers are conducting transactions on government’s behalf, they will be required to authenticate the citizens and businesses they deal with to the same standards as government itself would. Government will in turn accept transaction data from those service providers, who will certify that they have carried out the authentication transaction to the agreed standard.
The Trust Services policy paper of September 2002 addresses security requirements related to the provision of trust services to support access to e-Government services. It sets out a number of trust levels for registration and authentication in e-government transactions. In particular it
is concerned with the registration and authentication of citizens and organisations seeking to access government services electronically. It applies in circumstances where government needs to have trust in the identity (real-world or otherwise) and authority of those it is dealing with to ensure that there is no breach of privacy or confidentiality, theft/misuse of data, or other harm. The framework includes those cases where anonymous or pseudonymous access is acceptable.
It again emphasises that the government approach is to be through the use of third parties, including obligations on third parties for registration and authentication and their associated trust models, with more detail provided in the companion Registration and Authentication paper.
The Channels framework. Delivering government services in the new economy of 30th September 2002 establishes that government services can be delivered either directly by public sector organisations, or indirectly using intermediaries. It states that:
Service delivery in an inclusive and integrated manner is an essential commitment of this programme.
Good channel strategies in the new era will leverage electronic channels to help to:
– deliver public services that are high quality and efficient
– make sure that public service users, not providers, are the focus, by matching services more closely to citizens’ lives
– support the infrastructure to get the UK online by the provision of joined-up services
And emphasises that:
Reaping the benefits of a joined-up channel strategy requires organisations to move to a model where services are built around customer needs and not organisational structures.
Several pieces of updated guidance were published in January, including the second versions of HMG’s Minimum Requirements for the Verification of the Identity of Individuals, and HMG’s Minimum Requirements for the Verification of the Identity of Organisations.
In addition, the Policy Framework for a mixed economy in the supply of e-government services. A consultation document of May identified that the government strategy is to:
… create a mixed economy – a marketplace where government, private and voluntary sectors can come together to deliver e-Government services that better meet the demands of our customers.
and foresaw the desire for
a mixed economy in the supply of public services, where consumers (citizens & businesses) can engage intermediaries from the public, private or voluntary sectors to use public services in the manner that suits them.
The Liberty Alliance – described as “a global organisation for organisations and companies interested in improving online accessibility and security through the development of open standards and related guidance” – recognised the Government Gateway with the annual Liberty Alliance Awards in October. (The Liberty Alliance was succeeded by the Kantara Initiative in 2009).
The Government Gateway was recognised for
outstanding work around open, interoperable authentication in the e-government sector
and for enabling customers to
sign up for many of the online UK Government services using a single user-identity and password. It also enables online services that are secure and allow people to use the internet for things like filing tax returns and applying for benefits. There are now well over 9 million registered users on the Government Gateway.
It also noted that
The Gateway architecture and the authentication protocols include the means to preserve the privacy of citizens as they authenticate to different service providers
2006 is also notable for the appearance of a very different approach to identity: the Identity Cards Act, which received Royal Assent on 30 March. The Act specified the creation of UK national identity cards (to serve as a personal identification document and European Union travel document) linked to a database known as the National Identity Register (NIR). The introduction of the cards and NIR represent the alternative model originally identified by POST, with government assuming control over identity – a very different approach to the efforts since 1997 to use trusted third parties as part of the identification process.
A report in November from the National Computing Centre, Identity management, trust and security online, provided a summary of the identity assurance landscape at the time. It noted that the UK was in a good position because of its existing policies and mature infrastructure, and in particular:
[the Government] Gateway has an excellent opportunity to become a significant player in the citizen, business and agent Identity Provider marketplace and more. For example, its services could extend to Identity Provider services for managing government contractor and employee access to internal government systems. (p.10)
At a public event in April of 2007, the Cabinet Office’s e-Delivery Team and others provided a series of presentations on the state of play. This included a presentation on The Government Gateway. UK Best Practice on Infrastructure and Identity Management.
Sir James Crosby, who had been tasked by the Chancellor with looking at the issue of identity in 2006, released his report Challenges and opportunities in identity assurance. It considered how both public and private sectors could potentially work together on identity issues for their mutual benefit and that of citizens and consumers. It commented that
those countries with the most effective ID assurance systems and infrastructure will enjoy economic and social advantage, and those without will miss an opportunity. There is a clear virtuous circle. The ease and confidence with which individuals can assert their identity improves economic efficiency and social cohesion, which in turn leads to a greater number of transactions being reliant on such ID systems, further enhancing delivery of economic and social goals.
The report set out the case for a “universal identity assurance scheme”. It also said that:
A consumer-led universal scheme would better deliver on national security goals than any scheme with its origins in security and data sharing.
Its overall tone aligns with the work since 1997 to establish a trusted framework for identity assurance that could work across both private and public sectors. It set the benchmark for such a scheme as being to:
- meet consumer’s need to assert their identity easily and confidently
- inspire their trust
- be seen to offer superior levels of assurance.
In parallel with these various developments , the Government Gateway continued to be iteratively enhanced. The Employee Authentication Services (EAS) (Powerpoint format) was described in May 2008 as a common trust framework able to work across central and local government. And the UK Government Gateway Remote Authentication approach in October 2008 included chip and PIN authentication for the Ministry of Defence. The latter illustrated the ability of the Government Gateway to enable third party authentication using industry standard EMV chip and PIN cards (such as those used by most banks).
In April 2009, the Identity and Passport Service published Introducing the National Identity Service. How the Service will work and how it will benefit you to explain the purpose of the new UK identity cards and National Identity Register (NIR). It summarised the need for the programme as follows:
Today people have to use a variety of documents to prove their identity: passports, driving licences, birth certificates, utility bills, etc. However, none of these are officially identity documents and, furthermore, you will often need to use more than one of these documents to prove that you are who you say you are. Sometimes, using these documents requires you to give away more personal information than is necessary or desirable – details on your bank statement for example.
An identity card will offer a useful and more convenient way for an individual to prove their identity in a wide variety of circumstances. Depending on the level of identity assurance required for a particular transaction, an individual’s identity will either be checked visually, through entry of a PIN number or by checking fingerprints via a chip on the card, or for the highest level of assurance, a check against the National Identity Register (NIR).
In common with cards in other European countries, the identity card will also allow you to travel within Europe without the need for a passport.
Despite work on ID cards and the associated NIR, work also continued in parallel on the long-standing approach to use of third parties, as the Department for Work and Pensions (DWP) presentation on Authentication (Powerpoint format) from September illustrates.
The presentation shows the various common cross-government platforms operating under the Government Gateway brand – such as the Payments Engine, Secure Mail, Secure Transaction Engine, Transaction Orchestration, Alerts, and Strong Authentication – providing a suite of cross-government services. It indicates that there were 17m service users and 90 authenticated services at the time, with authentication services being used by citizens, businesses, government employees and EU and foreign nationals. The presentation goes on to illustrate how online authentication services could include support for the National ID Card if required – notably for what it refers to as ‘Gold Identity’.
In December, the Technology Strategy Board hosted a meeting at BIS (the Department for Business, Innovation and Skills) on Trust in electronic transactions: an opportunity to change the landscape. The objective of the workshop was to shape the scope of an £8m Technology Strategy Board competition to be launched in early 2010.
This year saw the repeal of the Identity Cards Act courtesy of the Identity Documents Act.
On the 18th May 2011, Francis Maude MP (Minister for the Cabinet Office and Paymaster General) made a statement to Parliament on identity assurance. His statement started with the announcement that:
The Government agreed on 14 March 2011 to the development of a consistent, customer-centric approach to digital identity assurance across all public services. This will allow service users to log on safely to digital public services in a way that ensures personal privacy, reduces fraud and facilitates the move to online public services.
And also went on to say:
Our intention is to create a market of accredited identity assurance services delivered by a range of private sector and mutualised suppliers. A key improvement will be that people will be able to use the service of their choice to prove identity when accessing any public service. Identity assurance services will focus on the key imperative to ensure privacy. My Department is leading the project to develop the design and the creation of the market within the private sector. By October 2011 we expect to have the first prototype of the identity assurance model to test with transactional Departments and public sector identity assurance services, with a date for implementation from August 2012.
A variety of updated identity assurance documents were published from 2012 onwards, replacing the numerous related documentation that had been published over the years since the original Authentication Framework of 1999. These documents on Identity assurance: delivering trusted transactions updated guidance on topics such as Authentication credentials for online government services and Identity proofing and verification of an individual.
The Parliamentary Office of Science and Technology (POST) report of April, Managing Identity Online, provides a useful summary of the state of play around identity. It points out that:
Privacy and security are key concerns of the Identity Assurance Programme. The IDAP is developing a model which aims to address these concerns. It is engaging with an independent Privacy and Consumer Advisory Group comprising external stakeholders to work on this issue. It is also working with the Government’s National Technical Authority for Information Assurance to ensure that the model meets security requirements.
In September 2014, the Privacy and Consumer Advisory Group (PCAG) mentioned in the POST note of 2013 (see above) published version 3.1 of their Identity Assurance Principles. 9 guiding principles for any government identity assurance scheme were set out by the group:
The page “Introducing GOV.UK Verify” was originally published by the Government Digital Service in June 2015 and provided an overview of and introduction to the Verify programme (formerly known as the Identity Assurance Programme, or IDAP). As with most of GOV.UK, there is no page history meaning it is impossible to track how it has developed over time. However, this here (PDF) is a copy of how it looked at the time according to the Wayback Machine, (or this is a direct link to the Wayback Machine site capture from 2015). You can see the current iteration of the page here.
October also saw the first public release of various “Good Practice Guides” (available internally since 2012 in various iterations), the latest version of guidance in areas such as identity proofing and verification of an individual, published by CESG and the Cabinet Office – updating the authentication guidance provided from 1999 onwards.
Summary comparison table of the original Government Gateway SAML hub and the GOV.UK Verify SAML hub, showing differences in functionality and scope.
In February, the Cabinet Office published its Government Transformation Strategy. One of the targets listed for 2020 is:
making better use of GOV.UK Verify by working towards 25 million users by 2020 and exploring options for delivery of identity services for businesses and intermediaries
It also notes that:
GOV.UK Verify allows people to use one account to prove their identity online securely for government services. GDS will work with the private sector to enable people to use the same account, which meets high government standards, to prove their identity online for private sector services, such as opening a bank account without having to go into a branch.
As noted in the introduction, there remain a variety of approaches to identity assurance across the public and private sectors. The Verify identity assurance programme aims to establish a common trust framework to help improve this situation, but at present there remain multiple platforms, systems and approaches underway both within the public sector and the private sector.
As I have commented elsewhere
It’s important for the future of online services that government helps nurture a robust, trusted, secure and viable approach to identity assurance that can work right across our digital economy. So it’s worth making time right now to do an honest, open and public reset to get this right.
Afternote (June 2017)
Many attempts to tackle online identity fail to understand the wider issue of how to match a proven, trusted identity to specific data or records relating to that person. This is a problem that can often be as complex as proving identity online – which in itself is fraught with challenging issues, particularly the level of assurance that a citizen entering identity-related information is the same as the citizen they claim to be.
With the growing ubiquity of personal data, and plans to increase the amount of such personal data being shared across the public sector, there is a potential danger it will only verify the citizen currently online is in possession of sufficient data about a person who does exist. It does not necessarily prove that the person entering the data is the same citizen. The Law Commission highlighted this in its consultation on ‘Making a will’:
Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists. (para 6.67, p. 119)
I discuss some aspects of the data matching or identity matching issue in my May 2017 blog The identity / data divide.