Diversity prevails for government identity assurance

As the Government Digital Service prepares for the first implementations of the Identity Assurance programme, the spotlight is falling on to the initial group of five companies that are taking on the role of identity providers, handling the validation of people’s identities and providing authentication when they come to use online services.

The identity providers are now ready to contribute to the private beta, and are working with the programme team to obtain accreditation for the public beta.

Janet Hughes, head of policy and engagement in the programme team, says: “We’re going through a process with each of identity providers where they are going through a number of gates to demonstrate that what they are doing is going to work and meet the required standards. They have to be accredited before they can go into full public beta service.”

It’s a reflection of the unique nature of the service that the five companies come from different backgrounds, and include a couple of names not widely known in the UK.

One of these is Mydex, which is providing an extension of its MydexID digital identity service to the programme. The validation process for individuals will take place only online and is initially set to work with a series of questions and answers and checks against other verification sources.

But looking to the longer term it aims to draw on information from one of the firm’s other lines of business, personal data stores. This involves the individual providing data which can then checked by organisations with their consent, and reflects the founders’ concerns with preserving privacy in digital services.

Chief executive David Alexander says: “Our goal is to empower the individual to be able to use the evidence they’ve got from people they work with on a daily basis from their personal data store to assert their identity; but right now it’s a blended approach.”

He adds: “Because we’ve given the individual one ID for life, which is free with no privacy bleed, they are in control and can choose to see it wherever they want. It means the trust that builds up and evidence of identity starts spreading across private and third sector.”

The other lesser known name is Digidentity, a Dutch company that specialises in secure digital communications. It says it is a preferred supplier of the Netherlands government, which has its own DigiD programme for access to online services. The company’s commercial offerings include an ‘internet passport’ that authenticates an identity with personal data stored and encrypted in an account.

By contrast, Experian has a prominent public profile for credit report checks and an identity authentication service for businesses. Its director of identity and fraud solutions, Nick Mothershaw, says: “We have a pedigree in online identity vetting. We’ve been doing it for 15 years in the UK and know where to draw the risk line in terms of the data you need and the diversity of data.

“We have access to a lot of data sources that we can leverage to identify an individual, and an infrastructure that can be quickly extended to other data sources. As the government brings online verification of passports and driving licences we can bring these into the system very quickly.”

The service Experian will provide is based on those it already sells, and will follow a similar process in checking against a range of databases with evidence of a person’s identity footprint. It can investigate address histories and ask questions to which only the individual should know the answer.

“If people with a low data footprint, such as young people or those who are new to the country, come to us, we have a tool named AutoDoc-ID that can scan a passport or driving licence for verification by a document expert,” Mothershaw says.

The company is aiming to do everything online and has no immediate plans for a face-to-face service. The Post Office has been one of the more obvious candidates, with a network of front end offices that provide a venue for any personal contact and a history of providing registration for public services. There are elements of identity assurance in these, but it will provide what is essentially a new service.

It is envisaging that most people will be able validate their identities online for the majority of government services, and has a plan to cross-check against various databases; but it is ready to run a face-to-face process for cases in which it considers it necessary to see supporting documents. It has also emphasised that it is looking for the pilots to shed light on possible improvements and is ready to amend its processes.

Verizon is known primarily as a specialist in enterprise networks, information systems and mobile technology, but it has been involved in identity assurance with its Universal Identity Services. These include automated identity proofing, multi-factor authentication and digital signature services, and cater for organisations that want to manage access for employers, partners and customers. It is effectively moving into providing a consumer service through its place on the government programme.

The true test of their solutions will begin with the move from public to private beta, which is expected during the summer. Longer term, Janet Hughes says there is every intention of bringing more companies into the programme.

“We will be going through another round of procurement and expect there to be more organisations competing at that stage to become identity providers,” she says.” It will be an open procurement, and the timing depends on the speed with which we progress through the first procurement.”

[How is the government identigy assurance service going to work?]