https://identityassurance.blog.gov.uk/2014/02/11/identity-assurance-goes-into-beta/

Identity assurance goes into beta

This week a small group of people became the first users to sign in to a government service using identity assurance. (Janet Hughes’ recent blog post explained what identity assurance is and how it works.)

HMRC’s Pay As you Earn (PAYE) exemplar service went into private beta on Monday. This means the service will be made available to a small group of volunteer users between now and April, while HMRC tests and develops it for larger numbers of people to use. Users of the service will sign in using identity assurance.

From prototypes to live services

HMRC’s private beta means we can start testing identity assurance with live identity providers and a live government service. This will build on our year-long programme of user research, where until now we’ve been using prototypes rather than live services.

During the private beta, we’ll be continuing to develop and improve the identity assurance service to get it ready for public beta (when it will be available for anyone to use, rather than small groups of invited users).

Adding more services

Initially we will be adding more services and users quite gradually, as we continue to get the service ready for wider use. Other services will begin to use identity assurance from March onwards, starting with DVLA’s view driving record service. The DVLA will start trialling identity assurance for some users, aiming to use it exclusively once the identity assurance service is in public beta.

From June onwards we’ll start to increase the pace, adding more services and allowing more people to sign in securely and conveniently with identity assurance.

As always, we welcome your comments below.

11 comments

  1. Dan Hilton

    Any chance of some technical detail here? Is it oAuth based? Does it handle permissions on a per service basis? Do you have sub-service permissions?

    Cheers,
    Dan

    Link to this comment
    • Steve Wreyford

      Thanks for your questions, Dan. The identity assurance service (that PAYE is using) is SAML 2.0 based. Permissions are handled within each service, not centrally - the service simply allows a user to assert their identity to the level of trust that the service consuming it requires, according to Government standards. The standards which govern it, and information about the SAML profile are available on GOV.UK. We’ll be blogging more about the technical details in the near future, for a general overview see Janet’s blog post.

      Link to this comment
  2. Victoria Samson

    hallelujah! hopefully no more 5 page password replacement procedure and 16 digits requirements... good Luck!

    Link to this comment
  3. simonfj

    Hi Steve,

    I was just checking where you were up to, re the UK's approach to IDA,

    I keep on revisiting this report.
    https://www.gov.uk/government/publications/local-authority-review-citizen-online-identity-assurance/local-authority-review-citizen-online-identity-assurance

    It is, for me, the only one worth using as a reference doc. I take it you would have quite a hand in it, so congrats. Just a pity we couldn't have addressed the LGA's Recommendations. It will/would have saved everyone so much time and effort. Martha did say to fix the publishing before the transactions.

    I've been passing it around a few NREN (National R&E Network) managers who have done much of what the GDS are doing, but limited themselves to just one portion of a citizen's online identity. i.e. when they're inside a school or uni network (in the UK. Other countries can't afford to treat their identities separately)

    We'll see how this pans out. Proof of the pudding always depends on what institution a citizen would prefer to trust with their personal stuff.

    BTW. You must thank Lee for me. It would be nice to have a few more personal perspectives from new digital managers like this one. https://hmrcdigital.blog.gov.uk/2014/02/07/being-a-digital-service-manager-in-hmrc/ Makes grumpy old men like me remember when i was young & idealistic 🙂 Be good.

    Link to this comment
    • Steve Wreyford

      Thanks for your comments, Simon. Can't take any credit for the report myself, though I agree it's a good piece of work.

      I'll pass your thanks on to Lee. His enthusiasm is infectious and it's great to see the personal perspectives of service managers like this.

      There will be more useful information for potential relying parties soon via the Service Design Manual and more alpha progress with local authorities that we will report on, so stay tuned.

      Link to this comment
  4. David Evans

    Good news! Crack on so we can all start to benefit.

    Link to this comment
  5. Francis Irving

    I've just read a few articles about this, and still have no idea how it will work from the user's point of view.

    Rather than ask the many questions I have, could you do a whole load of mockups, of how it would work for different kinds of service?

    In particular, covering both cases where I need to prove something ("I lived at this address with this name for 3 years"), and ones where I need to come back later ("my application ref XXXX, what happened with it?").

    I could understand a "log in with GOV.UK" type thing, as that is familiar - we're used to "log in with Facebook". Identity Assurance is clearly more subtle than that though...

    Link to this comment
    • Janet Hughes

      Hi Francis, thanks for your comment - yes we will be happy to do that and publish it here. It will probably take us a couple of weeks to get that done and published.

      It's probably worth saying now though, the user experience of identity assurance won't really vary depending on the service. All the identity assurance service will do is establish that you are who you say you are to a defined level of confidence. The registration and signing in process will be the same for all services that require the same level of assurance.

      When you use a service that includes identity assurance, you'll be asked to register with an identity provider or, if you've already registered, sign in using the credentials you set up when registering. You'll then be directed back to the service you want to use, like the PAYE service for example. That's where you'd do things like chase up an application or prove your eligibility for the service.

      I hope this helps as an initial response to your questions.

      Link to this comment
      • Steve Checkley

        Hi Janet,

        I echo that there is need for the signing up and validation processes to be put out into the public domain since the actual nuts and bolts of IDA are completely unknown at present.

        I'll be keeping an eye out for any blog posts that do this. It might also be an idea to include links within the 25 digital programmes that will use IDA. it would then make it increasingly easier for people to find out more about IDA.

        Kind regards,

        Steve

        Link to this comment
  6. Phill

    Hello,

    I know that my organisation is interested in using IDA to ensure customer identity before they use our online portal. Is the maximum amount of entities that IDA can currently handle until October 2014 600,000? And if so how many have already registered through IDA?

    Kindest regards,

    Link to this comment
    • Steve Wreyford

      Thanks for your question Phill,

      We're still in the early stages of the first private beta, with only a small number of users registering. We've just announced a new procurement which will allow us to manage demand beyond October and meet future registration requirements.

      Hope this is helpful.

      Steve

      Link to this comment