In March this year we started an intensive, iterative programme of design and user research with a view to ensuring the best possible user experience for people as they discover and interact with identity assurance.
We've completed 19 rounds of research to date, doing sometimes weekly and sometimes fortnightly iterations. This allowed us to update the design of the user interface in response to what we learn from observing people interacting with our prototypes and talking to them about their understanding of and feelings toward identity assurance.
Each iteration of research involves recruiting between 5-8 participants to take part in a one-to-one lab based sessions (up to one hour). We have recruited a range of participants from wide ranging age groups, professional backgrounds, and levels of confidence with technology. In the sessions we observed people performing tasks that involved registering and signing in to services using the identity assurance process.
Some of our specific research goals in these early stages have been to understand:
how we talk about identity assurance so that people understand how they will be identified and are happy to engage with the registration process
how we help people choose an identity provider that is most likely to be able to identify them based on their available evidence and preferred methods
what advice we can provide to the identity providers to help improve journeys through registration and sign in
In addition to the lab based research we have also undertaken some interesting quantitative research which we will continue in the coming months, we'll share some of our initial findings from the quantitative research next week.
We will share findings from our research to this blog from time-to-time.
Things we’ve found
Over the 19 rounds of research we've generated some interesting findings about how people interact with the government and more specifically identity assurance online, including:
most people we encounter have no prior experience of using a third party company to identify them
if they have used a third party to sign in it's most likely to be via a social media account, and most people we've met tend to avoid using their social media account to sign in to other services
identity assurance will often be the first time people use this model and they need to be assured that it is a legitimate process
people tell us that they trust the identity assurance process because it's a government initiative and government has actively worked to certify the identity providers for security, privacy and other measures
the mental model of 'registering' for a service is very strong and most people enter the process expecting to fill out a registration form on GOV.UK
due to the strength of this mental model, it's a difficult design challenge to encourage people to engage with any content alerting them to the different model without frustrating them
people’s perception of 'security' online can be quite unsophisticated; expectations for what they need to do to be 'safe' online are quite limited
amongst our participants many use a very small number of passwords across all services, but often feel this is safe because they have what they perceive to be a very 'unguessable' password – for example, a combination of their dog’s name with their favourite football team
sites requiring longer and more complex passwords are not helping the situation as this increases the cognitive load for people trying to remember passwords and encourages them to use even fewer with small, codified, variations based on the specific requirements of that website
Get in touch
We'll be continuing research on a regular basis. Where we have time available we'll work with partners (our identity providers, government departments and others) to test concepts and questions as a part of our research activity.
We look forward to sharing lots of interesting stuff with you here and making some good progress towards understanding how to solve the user experience challenges associated with identity assurance.
If you have any questions or want to find out more, please respond to this post.
Comment by Simon Hurst posted on
In the early days of the research we did with PIP we discussed IDA with people and they really disliked the idea of using someone else to prove their identity and firmly believed they should be logging into a government account. I'd be interested to know how this can be tackled.
My Department is very much a benefit paying organisation and people in that position were very wary of some of the organisations who we initially mentioned might be doing the IDing...
Comment by Steve Wreyford posted on
Thanks for your comment, Simon.
This is a new model and people are unfamiliar with the concept and with the benefits of using private sector companies to provide identity services. Also, people’s expectations of how government might be able to prove their identity is unrealistic.
Given these two things it’s not surprising that when asked users say they would prefer the govt to do this; we have seen similar feedback.
The more users understand identity assurance and the better designed the experience the more comfortable people become with it. We often find that people are resistant at the outset, but having experienced the process can see the benefits. After each round of research we make changes and improvements to the experience to improve this understanding.
Comment by simonfj posted on
When I read this last year, I was comparing it to where Internet2 were up to with the development of their cloudy apps and services. http://www.internet2.edu/cloud-services/ Gov departments are in much the same situation as the research labs have always been. How to share while retaining security. This new inter-institutional/user-centric networking model is just easier to see on a (large) National level.
I'm always trading this (head in the clouds) perspective with the other (feet on the ground). It explains why, when I read stuff about what's happening at the local level, the demand in the real world doesn't seem to be reaching your "lab". e.g. "Pope's concern is that the national PSN lacks a clear strategy: "The process still seems very opaque at the moment." http://www.computerweekly.com/news/2240105742/How-far-away-is-the-governments-vision-of-the-Public-Services-Network
Then it struck me. GDS is only testing interface design (of the services it chooses and improves). That's ok. But this is (now) a demand led world, so it's the local.gov network guys who, together, understand where the savings are.
You can even see the innovation trying to work is way out of the local networks. e.g. "The app allows different public sector workers to collaborate and see all the information on one family or one address that they are all working with".
“Beforehand, a health worker would show up at the door in the morning, a social worker would show up in the afternoon and neither would know the other had been there,” said Kristel. i.e. The "falling between the (institutional) cracks" syndrome. http://www.computerweekly.com/news/2240158417/Staffordshire-County-Council-saves-15m-with-PSN-deployment
So here's one service every front-line worker can use. I've used this illustration for two reasons. Firstly it identifies where the research should be done, in the field. Secondly, when you talk about IA's, there's no reason for local councils to discontinue doing what they always do, and do the regos (for an IA service). They're also small enough to be agile in developing services that have National applications, as illustrated above.
The only principle which seems to be missing from the GDS "user design process" at the moment is "start at Stage 1, not stage 4". http://blogs.worldbank.org/ic4d/co-creation-of-government-services
Sorry to be so blunt. Too much time with Aussies.