by Mark Say

How is the government identity assurance service going to work?

Feb 03, 20145 mins
GovernmentIT LeadershipSecurity Software

Like most government IT schemes the Identity Assurance (IdA) Programme has taken a long time coming. Plans began to emerge from the Cabinet Office in 2011, the programme team in the Government Digital Service (GDS) and the procurement took shape in 2012, and the first companies to take part were announced last year. But it’s only in the next few weeks that a couple of Whitehall departments will begin to use the service on a private beta basis, and it’s likely to be next year before large numbers of people begin to register.

It could, however, become a game changer for the way that public and private sectors deal with the issue of how to ensure an individual is who they say they are. It has been developed partly to lay the foundations for a consumer market in IdA services.

“Part of the reason we’re approaching it in this way is we’re trying to stimulate a market of identity provision, so that companies will develop this capability of assuring identities, and that will be reusable in the private sector and wider public sector,” says Janet Hughes, the programme’s head of policy and engagement. “We expect it to create competition, excellence and innovation, and drive down prices to make assured identities into a commodity service.”

This is reason for CIOs in any organisation to watch how it works and develops. The big shift from previous government approaches to IdA is that it lets people choose from a number of trusted identity providers (initially five) to handle the initial validation of who they are and authenticate their identities when they want to use a government service. They won’t have to pay; the providers will be paid per registration under their contracts with the Cabinet Office.

The approach to validation can vary between the identity providers, as long they conform to the Cabinet OfficeGood Practice Guides, and while the emphasis is on online there is provision for telephone and face-to-face processes – an important element in supporting people who don’t use the internet. The processes are going to depend on methods that are already established in IdA –checking the details people provide against a range of databases for any discrepancies, and when necessary asking for supporting documents such as passports, driving licences or utility bills.

When the person wants to access a service they will be directed to the hub to choose their provider and sign in, prompting it to send the data set to the service provider to confirm the identity. When the identity provider is satisfied it will feed a data set of name, address, date of birth and gender for the person into a central hub, the point at which the authentication for specific services takes place. The service provider uses that data to identify their records about the user and, if there is a doubt about which record to use, can ask an extra question to get the correct record.

The key feature of this is that the identity and service providers only communicate with the hub, not each other, so the former doesn’t know which government services its customer is using and the latter doesn’t know which identity provider is doing the job. This reflects the underlying concern about privacy that has been one of the big drivers of the programme, and which could be a major factor in boosting take-up. It’s a case where designing a simple process is complex business, and Hughes says the biggest challenge is in correctly matching a person’s data set on the hub to that held by a service provider.

“There are a number of elements,” she says. “One is to verify you are who you say you are. In a way that’s technically speaking straightforward as there are records and you can ask knowledge-based questions.

“The complicated thing is matching that identity to a record that’s already held by a service. If we succeed we’ll be the first people in the world to do it at that level of assurance.”

The GDS has placed its faith in an agile approach to meet the goal, avoiding a precise specification at the beginning of the programme in favour of a few questions about user needs, then building, testing, changing and moving forward cautiously. Hughes says this has made the team confident that it’s going to be right for users of the service.

It has reached the stage of identity and service providers being able to connect to the hub, and will soon make it available for a limited number of individuals to use as a private beta. Two services will begin to use it – HMRC’s PAYE Online and DVLA’s service for people to check their driving licence details – following which another 23 will join as ‘exemplars’ up to April 2015.

It is staying clear of a firm timeframe beyond that, and there is no compulsion on government departments to use the scheme, but Hughes points out: “It’s been agreed by the Public Expenditure Committee that this will be the default way.

“We’re working with all the service providers across government to understand their needs and ensure they are developing the service in a way that meets their users’ needs. There’s no reason a service provider wouldn’t choose to do that.”

[Next – Diversity prevails for government identity assurance]