As with all the work being done under the digital transformation programme, the identity assurance programme starts with user needs. But, in this case, there are two separate and contrasting needs to consider. We thought it would be interesting to share what we’ve learned so far about this issue.
Security matters to people ...
We’re building the identity assurance service so that people can sign in securely to digital government services. (See Janet’s post over on the GDS blog about why identity assurance is needed and how it will work.) This is a clear and compelling user need - if we don’t fulfil this need, digital services won’t be trustworthy or trusted, so people won’t want to use them, and we won’t see the benefits and savings promised by the move to digital by default services.
When they’re asked how they feel about security online, people tell us they prioritise security as a need. When we meet people in the lab who’ve had their digital security compromised, they talk about it as a devastating experience.
… but so does convenience
We’re finding, though, that security doesn’t tend to be at the forefront of people’s minds when trying to use a digital service. Our lab research has shown us that at the time someone is trying to sign in to a service to complete a transaction, they’re thinking principally about the transaction and their desire to complete it quickly. They tend to see security measures as getting in the way.
People expect registering for government services to be the same as signing up for a social media or shopping account. Because they haven’t encountered identity assurance online before, they can’t anticipate that government services will require higher levels of confidence that users are who they say they are.
We also know that people will knowingly take security risks, such as choosing obvious passwords like ‘password’ and re-using the same password for multiple services. When setting their passwords, they tend to value convenience over long-term security. They may also not fully understand the risk they’re taking.
What we’re doing about it
This raises questions about how we can design a service that is as convenient as it can be while looking after people’s security.
This is not a new challenge - it’s one that’s being faced by organisations the world over. We can’t solve this problem on our own; it’s part of a much wider set of issues.
First, as identity assurance becomes more widespread as the main way to sign in to government services, it will play an important role in educating people about the importance of protecting their digital identity.
Secondly, we’re trying to stimulate a competitive market for identity assurance as the quickest and most effective way to close the gap between solutions that are convenient and those that provide security. We believe that suppliers who will be most successful are those that can best meet the dual challenge of security and convenience for end users. We expect to see new methods emerge that are more convenient for end users but satisfy the required standards.
Through this approach, we will be increasingly able to meet users' security and convenience needs simultaneously.