As with all the work being done under the digital transformation programme, the identity assurance programme starts with user needs. But, in this case, there are two separate and contrasting needs to consider. We thought it would be interesting to share what we’ve learned so far about this issue.
Security matters to people ...
We’re building the identity assurance service so that people can sign in securely to digital government services. (See Janet’s post over on the GDS blog about why identity assurance is needed and how it will work.) This is a clear and compelling user need - if we don’t fulfil this need, digital services won’t be trustworthy or trusted, so people won’t want to use them, and we won’t see the benefits and savings promised by the move to digital by default services.
When they’re asked how they feel about security online, people tell us they prioritise security as a need. When we meet people in the lab who’ve had their digital security compromised, they talk about it as a devastating experience.
… but so does convenience
We’re finding, though, that security doesn’t tend to be at the forefront of people’s minds when trying to use a digital service. Our lab research has shown us that at the time someone is trying to sign in to a service to complete a transaction, they’re thinking principally about the transaction and their desire to complete it quickly. They tend to see security measures as getting in the way.
People expect registering for government services to be the same as signing up for a social media or shopping account. Because they haven’t encountered identity assurance online before, they can’t anticipate that government services will require higher levels of confidence that users are who they say they are.
We also know that people will knowingly take security risks, such as choosing obvious passwords like ‘password’ and re-using the same password for multiple services. When setting their passwords, they tend to value convenience over long-term security. They may also not fully understand the risk they’re taking.
What we’re doing about it
This raises questions about how we can design a service that is as convenient as it can be while looking after people’s security.
This is not a new challenge - it’s one that’s being faced by organisations the world over. We can’t solve this problem on our own; it’s part of a much wider set of issues.
First, as identity assurance becomes more widespread as the main way to sign in to government services, it will play an important role in educating people about the importance of protecting their digital identity.
Secondly, we’re trying to stimulate a competitive market for identity assurance as the quickest and most effective way to close the gap between solutions that are convenient and those that provide security. We believe that suppliers who will be most successful are those that can best meet the dual challenge of security and convenience for end users. We expect to see new methods emerge that are more convenient for end users but satisfy the required standards.
Through this approach, we will be increasingly able to meet users' security and convenience needs simultaneously.
4 comments
Comment by simonfj posted on
Very nice synopsis.
Seems we all know what we are trying to do. The hard part is going about things in a coordinated manner, keeping in mind that we're in a time like, when the automobile was not mass-produced. All the components are there, if only we could assemble them in a mass-produced manner, and train drivers for a license so they didn't kill one another.
I could extend the analogy so that we have public servants waving their red lights as they walk in front of every standard auto. It seems to be the stage that many govs around the world are at the moment, minus the auto. So I won't use the analogy.
Perhaps a better one is "peeling an onion", where users who are attuned to the FB, LI world access some useful toys knowing that big brother is watching, and start by accessing gov services by accessing this blog, or the e-petitions platform, or their education services, for example.
Transactions is not a good place to start because people know they have their bank to ensure their security.
It makes good sense - trying "to stimulate a competitive market ..... as the quickest and most effective way to close the gap between solutions that are convenient and those that provide security". But i can't see why this needs to include some private security providers. Most of the stuff I - a lonely citizen - want to pull together is lying around in different government departments, who won't collaborate/share.
Your assumption is that an IA provider can overcome this.
My belief is that local government's, and research institution's, network managers can. If they are given space to collaborate. We'll see.
Comment by Adrian Seccombe posted on
I see the issue as having three major parts
1) Setup and Update
Initial Registration of an entity, and associating trustworthy attributes with that entities Digital Identity
2) Usage and Intent
Use of the Identity and the associated attributes to make my intent(s) clear
3) Connecting (Id)Entities
Associating Entitities, especially People with Things
Some may argue, perhaps rightly to separate "1" into two parts, so perhaps we have four parts.
My wish list
I want "Setup and Update" to be a robust process that only needs to happen few times, I am only born once, I don't take my driving test weekly, I don't mind if it takes a little while.
(BTW This does NOT mean registering for access to a new website or service should take a while, that would be 2) and 3)
I want Usage and Intent to be insanely simple and quick as well as highly trustworthy.
I want to "Connect" to new services equally simply and quickly with same same high degree of trust.
Most importantly I want to be confident that the Digital Trust Ecosystem will be around longer than I am! In which case I would want to use it in all my Digital dealings not on the few occasions that I deal with the UK Government.
You may think that you are dealing with lots of citizen transactions, but from my perspective I rarely have need for a Government Only Digital Identity. If I could used my Citizen Id in all my digital dealings SIGN ME UP!!!
Which of the above parts will the GDS Identity Assurance service play?
Comment by Steve Wreyford posted on
Thanks for taking the time to respond, Adrian. We agree with your assessment of issues that are critical to success.
Registration will be robust - it needs to be to allow you access to the types of government services and information you'll be using it for. Sign in also needs to be robust (eg. include second factor authentication) for the same reason, but re-use will be easy.
One of the reasons we’re helping to stimulate the identity marketplace is exactly so that the same solutions can be used in many more places than just government… of course we can’t control whether this happens or not but we can do what we’re able to support this (and we are).
You may have already seen it, but there’s a more detailed description of the service in Janet's recent blog.
Comment by Dr. Nick Bell posted on
Remarkably few comments! Is anyone reading this?
I agree, an eSID (Electronic Secure Identity) is a must.
Just as you can only have one (UK) Passport, you should ONLY have ONE (UK) eSID which makes it UNIQUE (globally??), and for LIFE.
Ease of use of (government) systems is also a must.
The (optional, and I stress optional) physical world manifestation would be eSID (Photo) Card.
In the future, should our eSID be established at birth?
Does the eSID (Card) then replace a Birth Certificate?
Whilst I am new to the field, I have worked in IT for 35 years. I am fascinated by what appears to be happening in the rapidly-moving Identity Assurance field.
Much of what I have researched is around the model whereby we contract with an Identity Assurance provider who checks to see I am who I say I am and then stores the information for reference as required by third parties. Only 8 companies tendered and, it would seem, all were accepted. 6 of the 8 are commercial companies, by definition, in-it-for-profit or some pecuniary gain. Only Mydex is a Community Interest Company. Personally, I would bar any company which does not have CIC-type credentials. I really do not feel it is right that it is in the hands of a company which could be taken over by another. Would the government then we trust a company owned by say the Chinese?
Personally, I believe, ONLY one organisation has the wherewithal to validate one's Identity securely according to the CESG criteria because they can achieve it face-to-face, the Crown Post Office. However, perhaps the hosting can be a matter of choice. The Post Office as a government-owned enterprise should not be allowed to be an Identity Assurance Provider. An Identity Assurance Provider has the potential (requirement?) to also provide the secure repository (PDS - Personal Data Store) for the Identity Owner's data which can be populated by the IDO and by third parties (including government bodies) with whom the IDO chooses to link.
I could say (a lot) more.