https://identityassurance.blog.gov.uk/2015/03/27/working-with-the-private-sector-to-verify-identity/

Working with the private sector to verify identity

We’ve posted before about the work we are doing with private sector organisations, primarily through the Open Identity Exchange. This post is about how we are working with the private sector to make it easier for users to verify their identity.

When you open a new account or service relationship many organisations ask you to bring in ‘evidence of identity’, like a passport and utility bill. They then photocopy the evidence and keep it in a file somewhere as an audit record that they verified your identity. There are many weaknesses with this approach to identity assurance, not least being that the irrelevant personal data is recorded along with the identity details. But for many years it has been established practice.

We have been working with private sector organisations through the Open Identity Exchange to develop digital solutions that are better than their paper based predecessors - and don’t leave a trail of photocopied personal information in archives. In a digital transaction, if you ask the right question it is possible to provide a yes/no response and avoid the need for unnecessary personal data to be stored.

We developed an example service in the public sector. When a GOV.UK Verify user is registering with a certified company, they are given the option to provide passport and driving licence details as evidence of identity. The certified company has access to the Document Checking Service through which the details provided by the user can be validated with a simple ‘yes’ or ‘no’. Only certified companies can access this service, and only for the purposes of verifying an identity as part of GOV.UK Verify.

The certified company must do a number of other checks when creating a digital identity, including validating evidence provided by people. Through OIX projects we have been testing how the private sector might create services that work to a similar design as the Document Checking Service and allow certified companies to validate user asserted data - with the user’s consent - directly against the primary source. This will help increase the success rate for GOV.UK Verify, which is one of our objectives for the next year.

We reported on a project with the Mobile Network Operators in 2014 on how their infrastructure could be used for identity assurance. Together with the GSMA they are now working on an initiative called Mobile Connect.

Recently we’ve been talking to banks, the Payments Council and VocaLink about similar concepts. Banks must meet high regulatory obligations for identity verification when opening and operating bank accounts. We are now planning a project to investigate how a certified company could validate a user’s bank details. If you’d like to know more about this or any other OIX projects, please do get in touch.

You can read about the various projects through which we are working with the private sector at OIXUK.org and we’ll provide further progress updates here and at the regular OIX UK meetings.

Please get in touch or comment below if you’d like to know more.

 

28 comments

  1. Philip Virgo

    How do you check that it is not a fraudster who has assumed the identity of, for example, a benefits claimant with no on-line access or credit history. I am told that this is relatively easy, using publicly available information, to acquire a sufficient mix of the necessary credentials?

    Link to this comment
    • Janet Hughes

      Hi Philip.

      Certified companies have to meet published standards for identity assurance, to reach the required level of assurance that the person is who they say they are. We've blogged separately about how certified companies establish it's really you, here: https://identityassurance.blog.gov.uk/2014/11/21/how-does-a-certified-company-establish-that-its-really-you/ You can also read the published standards for identity assurance which set out the rules in more detail - see https://www.gov.uk/government/collections/identity-assurance-enabling-trusted-transactions Certified companies can design and choose their own range of methods to achieve the required standards, based on the person's consent and so long as they can demonstrate that they will achieve the required level of assurance.

      Certified companies have to establish the required level of assurance against 5 different elements, and it's the combination of all 5 elements that provides the overall level of confidence that the person is who they say they are. One of these (element C) specifically involves establishing a link between the identity that's been asserted and the person who is asserting it, to establish that the person attempting to verify is the owner of the identity. For example, providers can use knowledge-based questions to fulfil the requirements under element C. This involves asking the person some questions that only they are likely to be able to answer.

      Link to this comment
  2. Hugh

    Does this mean that when I log into a government service I have to remember which identity provider I've registered with? How am I meant to make a value judgement as to which one is best? Online identity is really important but it just seems like there is serious duplication of effort amongst providers. Why can't GDS just work with one provider and ensure they offer an effective service. 99% of people don't care who checks their identity, they just want it done accuratly and quickly.

    Link to this comment
    • Rebecca Hales

      Hi Hugh, thanks for your comment.

      You will have to remember which identity provider you selected to create with.

      Using a range of certified companies gives people choice and control over who has their data and how it’s used. Once someone has verified their identity with their chosen provider, they will be able to re-use their credentials across an increasing range of government services without having to prove their identity again from the beginning each time.

      We are using a range of providers that users can choose from so we can take advantage of value and innovation in the market, and so we can avoid creating a central database of personal data within a single supplier or within government.

      Link to this comment
  3. Mrs. M. Norris

    HI,
    I have already sent a comment regarding the new Marriage Allowance.
    They are asking for identity items that i do not have [photo driving licence, current passport,
    never had a credit card and my mortgage finished years ago] what else will they accept, have offered marriage licence birth certificate DW&P national insurance number.
    Will these be acceptable?

    Link to this comment
    • Rebecca Hales

      Hi Mrs Norris, thank you for your comment.

      If you contact HMRC customer services on 0300 200 3300 they should be able to advise you on what alternative forms of identification are accepted.

      Link to this comment
  4. Philip Virgo

    Does this mean that Mrs Norris cannot use a Verify identity for her application?

    Link to this comment
  5. Naveed

    HI, I am in the process of setting up a new company which will be working closely with the NHS, we will be requiring a digital verification process similar to GOV.UK VERIFY. Who can i contact with regards to joining the beta testing?

    thanks

    Link to this comment
    • Rebecca Hales

      Hi Naveed, thanks for getting in touch.

      The way for private companies to engage with the programme is through the Open Identity Exchange (oixuk.org).

      We're also talking to NHS and HSCIC about their potential future use of GOV.UK Verify, and can put you in touch with the relevant teams if that would be useful?

      Link to this comment
  6. Paul Turner

    I have just received an email from HMRC regarding the new Marriage Allowance and GOV.UK Verify. I also do not hold a current UK passport nor driving licence. I am an Irish national and I have an Irish passport. Will other nationality passports be accepted? There must be thousands of people who do not hold these UK documents.

    Link to this comment
    • Rebecca Hales

      Hi Paul, thank you for your comment.

      At the moment you can only use GOV.UK Verify if you have a valid UK passport or photocard driving licence. GOV.UK Verify is in beta, which means it’s being constantly improved and developed. This includes adding more ways for people to prove their identity using documents other than UK passports and driving licences.

      If GOV.UK Verify isn’t able to verify your identity at this stage, then a HMRC advisor will be able to verify your identity and take your application by telephone.

      Link to this comment
      • Wendy M

        I hasten to amend this - You need a passport AND a driving license. Both the comments here and the writing on the site says OR. I just spent 15 minutes going through the signup process as it clearly states I can do so with driving license OR passport, and it's not the case; you must have both. Like many, many people, I don't have a passport.

        Link to this comment
        • Rebecca Hales

          Thank you for your comment. I'm sorry that you've had a frustrating experience. There are times when users can be verified on one document, however the certified company will not know if they need to ask for another until all the details have been entered.

          GOV.UK Verify is a new service that is in beta, which means it is constantly being developed and improved based on feedback from people who use it. We’re not able to verify everyone yet but we are working to make it possible for people to use other evidence instead of passports and driving licences. There are other posts on the blog that explain what we’re doing about this, if you’re interested to read more see:https://identityassurance.blog.gov.uk/tag/improvement/

          Anyone who can’t be verified online using GOV.UK Verify at this stage, can return to the service you wanted to use and follow the guidance on the other ways that exist for you to access that service.

          Link to this comment
  7. PETER HEWLAND

    My wife's passport expired 10 years ago............she has the old paper style driving licence and doesn't drive anymore. Surely if the DWP(who initially wrote to her offering the money) pay her pension every month and have done for the last 8 years she is known and suitably verified............otherwise someone has conned them out of tens of thousands.!!!!!!!
    Do these people put brain in gear when they decide what is acceptable ID........I despair so now we have to jump through more hoops so she can transfer some of her unused tax allowance to me so we can legally save £200

    Link to this comment
    • Rebecca Hales

      Hi Peter, thank you for your comment.

      GOV.UK Verify is a new service that will allow people to verify their identity entirely digitally and use that to access an increasing range of services.

      GOV.UK Verify is in beta, which means it is constantly being developed and improved based on feedback from people who use it. We’re not able to verify everyone yet using GOV.UK Verify - we’re working to make it possible for people to use other evidence instead of passports and driving licences. (There are other posts on the blog that explain what we’re doing about this, if you’re interested to find out more see: https://identityassurance.blog.gov.uk/tag/improvement/).

      Anyone who doesn’t have those documents, or for some other reason can’t be verified using GOV.UK Verify at this stage, can contact HMRC by phone and an advisor will be able to take you through the process that way instead.

      Link to this comment
  8. R Stockton

    Hello,

    I have just received a followup email from HMRC and am totally against giving this information over the internet and would prefer a different option. Can I telephone and speak to an HMRC employee and give the information that way or even old fashioned written forms?

    Link to this comment
    • Rebecca Hales

      Thanks for your comment.

      When you’re using digital services, you need to be sure that your privacy is being protected and your data is secure. Government departments providing services online need to know it’s really you (not someone pretending to be you), and to ensure your information is safe. GOV.UK Verify is more secure than usual methods of proving who you are, because there’s no central storage of information.

      However, if you do choose not to use GOV.UK Verify - or for some other reason can’t be verified using GOV.UK Verify at this stage - you can contact HMRC by phone and an advisor will be able to take you through the process that way instead.

      Link to this comment
  9. M. Lucas

    Just tried gov.uk verify about the new Marriage Allowance. Supplied everything I was asked correctly but wasn't accepted. Said it was a new system and it couldn't verify everything but would keep all my details and for me to try again next week.

    Link to this comment
  10. Lisa

    Just tried to use the verify system to claim married couples allowance but was unable to get verified because I have no mortgage, no overdraft, and no mobile phone contract in my name at my address. What do I do now?

    Link to this comment
    • Rebecca Hales

      I'm sorry that GOV.UK Verify wasn't able to verify your identity on this occasion.

      GOV.UK Verify is in beta, which means it ’s being constantly improved and developed. At the moment you can only use GOV.UK Verify if you have a valid UK passport or photocard driving licence, but we’re working to add more ways for people to prove their identity if they don’t have a UK passport, driving licence or credit history. We’re aiming for 90% of people to be able to use GOV.UK Verify by April 2016 - we’ve published some information about that elsewhere on our blog and will be publishing updates as we progress through the next year.

      There will continue to be other ways for people to access services if we’re not able to verify their identity through GOV.UK Verify. If you haven't already, then please do return to the service you wanted to use and follow the guidance on the other ways that exist for you to access the service.

      Link to this comment
  11. Brenda Long

    GOV.UK Verify was unable to verify my identity and in the end I completed my transaction over the telephone. Does this mean that the certified companies that I've tried will keep all my personal details (passport number, drivers licence number etc)?

    Link to this comment
    • Rebecca Hales

      Thanks for your comment, Brenda.

      I'm sorry that GOV.UK Verify couldn't verify you on this occasion. GOV.UK Verify is in public beta (trial) at the moment and is being constantly developed and improved. We're working on more ways for people to prove their identity with a wider range of evidence so you may wish to try again in future.

      You can request that the certified companies remove your account and any data associated with it. You can do that by contacting their support services.

      Link to this comment
  12. MarkK

    But how will they know it's Brenda? It seems they weren't sure last time.
    (And GPG 42 suggests a higher level of assurance is needed for changes to accounts.)

    Link to this comment
  13. MarkK

    Sorry for typo, should be GPG 43 (RSDOPS).
    You seem to be suggesting that the companies will have retained the data in this case, but there's no obvious reason why they would: they can't use it for anything else and presumably haven't been paid as the transaction was not sucessful. It the process and architecture showing IdP, hub, matching service and service provider published somewhere?

    Link to this comment
    • Janet Hughes

      Hello Mark, thanks for the 2 comments / questions.

      There isn't one standard answer to this question - each certified company has the right to handle these matters individually, within their legal and contractual obligations and according to the required standards. This is because we buy services from the providers and pay them to meet required standards, rather than specifying the precise solution they should implement. This is to help achieve the objective of creating a diverse market of suppliers over time, allowing certified companies to continuously improve their services as the available technology and capabilities advance.

      Each company is the data controller for the data they collect; they have to comply with data protection requirements like any other data controller, including those relating to the collection and retention of data. We don't specify how each of them should do that, since they are responsible for doing so within their own systems according to the law and their contracts with Cabinet Office.

      They are also subject to contractual requirements with Cabinet Office that go beyond the normal legal requirements. For example, under our new framework, certified companies will be required to publish a statement as part of their terms and conditions which explains how they are implementing the identity assurance principles developed and published by our Privacy and Consumer Advisory Group (see elsewhere on the blog for information about that).

      You are right in saying that if a certified company has not successfully verified someone's identity, then they will not get paid - they get paid for each successful verification. (Under the current framework, they also get paid under some circumstances for reporting fraudulent attempts to verify, but as the providers transition to the new framework over the next few months this will not continue and they will only be paid for successful verifications.)

      Certified companies also have to make sure that someone trying to access an account through another channel, or change it through any channel, is who they say they are. They have account recovery processes in place to do that, which are usually set up in the initial stages of creating an account with the company. Those processes have to comply with the relevant standards, as you've rightly pointed out.

      In each case the certified companies will approach this differently, since they are each separately responsible for designing systems and processes that meet the required standards, and for achieving the required certification / accreditation to verify that they are doing so.

      I hope that helps answer your questions but do come back if there's anything more you'd like to know or if anything is unclear.

      Link to this comment
  14. MarkK

    Is the interaction between the players and architecture showing e.g. IdP, hub, matching service and service provider published somewhere? Transactions may fail at other points than the IdP, and it will need to be clear to the intending user where the problem, not least because the other participants will not be able to help.

    And a second issue: although the target of 2010 set by EU PMs in Manchester in 2005 for public sector online services to be able to use foreign IDs has been missed, presumably the UK services have been designed to cope? Now that there is an Estonian e-Resident system available to us at a higher assurance level and with international interoperability, why would anyone use GOV.UK Verify?

    eIDAS mandates acceptance mandates acceptance by all national public sectors using online, so HMG would have to accept Estonian ID of Brits. It may be that this doesn't tick all the boxes of HMG privacy principles, but as it's the user's data, presumably the user choice will be respected.

    Link to this comment