https://identityassurance.blog.gov.uk/2015/09/09/gov-uk-verify-an-update-on-progress-towards-objectives-for-live/

GOV.UK Verify: an update on progress towards objectives for live

Earlier this year we introduced some objectives explaining what ‘live’ will mean for us, and what we are aiming to achieve by the time we move from beta to live in April 2016.

This post gives an overview of the progress we’ve made and what remains to be done.

Readiness for services to adopt GOV.UK Verify

We post regular updates on the services planning to adopt GOV.UK Verify - our most recent post was in July.

We're working with 51 services across government, of which 13 are now connected to GOV.UK Verify (7 as public beta services). We’re on track to meet the demands of the services in the pipeline - we expect about 30 government services to be using GOV.UK Verify by April 2016 and the remaining 20 or so to join in 2016/17.

90% demographic coverage

We estimate that GOV.UK Verify can cover approximately 80% of the UK adult population now (up from about 65% at the start of our public beta), and we have plans to increase this to 90% by April 2016.

Since the start of our public beta we’ve seen the introduction of new methods that allow people to prove their identity more straightforwardly and with fewer pieces of evidence. For example, certified companies have implemented new ways to validate official documents so that users with any passport and any EU identity document can use those documents as identity evidence, and new ways to validate payment cards without reference to a user’s credit reference data.

The existing and new certified companies will be adding more data and methods over the coming months, further increasing the demographic coverage of the service towards our 90% target by April 2016.

90% success rate

The success rate is a measure of the proportion of those who try to verify using GOV.UK Verify who succeed (of those who try and either fail or succeed). At the start of our public beta, the success rate was around 40%. It’s now increased to 69% and we’re aiming to increase it to 90% by April 2016.

Success and completion rates for GOV.UK Verify since April 2015, compared with the trend required to achieve 90% success by April 2016
Success and completion rates for GOV.UK Verify since April 2015, compared with the trend required to achieve 90% success by April 2016

There’s been a sustained increase in both the success and completion rates for GOV.UK Verify. We expect this improvement to continue as certified companies continue to improve and expand their services and as new identity providers come on board (see below). On the basis of our progress so far, we’re on track to achieve our target success rate of 90% by April 2016.

The success rate will continue to increase as a result of 3 main factors:

  1. Increasing the range of high quality certified companies - we signed a new framework agreement in March 2015 with 9 certified companies. The four existing providers (Digidentity, Experian, Post Office and Verizon) will be joined by 5 more (Barclays, Paypal, Morpho, Royal Mail and GB Group). The suppliers will offer a wider range of high quality choices for users depending on their preferences and the types of identity evidence they are able to provide.
  2. An increased range of methods and data sources meaning that more people are likely to have the evidence needed for GOV.UK Verify to verify them. For example, at the start of our public beta, most users would need both a driving licence and a UK passport, and to be able to answer questions based on their credit history. Now, because of new methods introduced by certified companies, it’s possible to verify with only one of those two documents, or a range of other official documents from other countries, and without having to answer knowledge-based questions.
  3. Making the service as straightforward as possible for people. We’re carrying out ongoing user research and analysing feedback from users to help us identify and implement improvements that will help increase the success rate.

You can view the latest statistics on the GOV.UK Verify service dashboard on the Performance Platform.

Everyone can use GOV.UK Verify to access services

Work continues to ensure that people who are not able to verify their identity digitally are still able to use digital services. We’re analysing the results of our Basic accounts trial and will post separately about that soon.

A range of high quality certified companies for people to choose from

We’re working with the 9 certified companies - 4 existing and 5 new - to prepare them to onboard their services under Framework 2. We’re about a third of the way through the process, and we’re working to complete all the onboarding gates by January 2016 - we’re making good progress but there is a lot of work for us and the certified companies to do between now and then.

The product and service are scaled, resistant and operationally ready for live

We’re currently working towards a November milestone for technical delivery, which we’re on track to achieve. We’re prioritising work we need to complete to meet our accreditation requirements and to make sure the service is scaled and resilient for the volumes and demands we are expecting at that stage. We’re also aiming to complete work that will help us achieve our April ‘live’ milestone, and working on further defining the scope for the work that’s required beyond November for GOV.UK Verify to be ready for live by April 2016.

If there’s anything in particular you'd like us to include in our next update then let us know in the comments below.

12 comments

  1. Comment by Caroline Miskin posted on

    Significant numbers of people have a non UK passport and no UK photo card driving licence (20% on a straw poll in our office of tax professionals) and cannot use GOV.UK Verify. Some questions are bizarre, people who have never taken out a loan being asked that question and it turned out what was meant was a mobile phone contract!

    • Replies to Caroline Miskin>

      Comment by Rebecca Hales posted on

      Hi Caroline

      Thank-you for your comment.

      As you say, GOV.UK Verify isn't able to verify everyone at the moment. However, we are working really hard to improve the range of methods and data sources in advance of live. Janet mentions above that users no longer always need both a driving licence and a UK passport to verify and non-UK passports can also be used. There are alternatives to those knowledge-based questions, too.

      Thank-you for taking the time to give your feedback. We're working to improve our service and that of our certified companies, so all feedback from users - like yourself and your colleagues - is valuable to us.

  2. Comment by MarkK posted on

    In response to a comment on the objectives in March, nine non-trivial topics were raised and blogs were promised on each. Now that the EU eIDAS implementing acts have been published, could we please hear what progress there is on those topics, not least on the Ombudsman (required by the principles).

    • Replies to MarkK>

      Comment by Janet Hughes posted on

      Hello Mark, thanks for your comment and question.

      Here are some brief updates in the areas you've asked about (some of which we've covered in more detail in other posts - see the relevant categories and tags for those posts):

      We're not aiming to provide level of assurance 3 (LOA3) services before we move from beta to live in April 2016, because there is no service with a confirmed need for LOA3 in our pipeline before that time. We do have provision in our framework for LOA3, so we could implement it as and when a need is confirmed, but it's not currently in our agreed roadmap.

      The hub and certified companies will provide services and support in Welsh before we move from beta to live. (Three of the four existing providers are already offering Welsh language versions of their services, though not with the automated element that you suggested in your comment.)

      We're not aiming to directly accept identities verified in other countries or vice-versa before we move from beta to live in April 2016, as we've stated in earlier posts. However we are working to get ready for doing this after we go live, and we know know you and others are interested in this so we will be sure to post updates whenever we have some news to share.

      Certified companies are responsible, as data controllers, for protecting people's personal data and processing it appropriately and within the law. Certified companies can only use data if there is a legal basis for the data to be used.

      We've been working on the requirement for an escalation point to deal with user concerns that can't be dealt with within the federation, and will be reporting more on our work in that area soon. In the meantime, you may have noticed our post announcing we've created a privacy officer post, and we have posted updates on our work on privacy issues.

      We've now published an updated SAML profile (which I think was the particular document you were looking for at the time but please let me know if not).

      We are not planning to publish a 'false positive rate' as per your suggestion, but the certified companies do have to be independently certified as meeting the required standards for identity assurance (and if not then they are in breach of contract and can be removed from the GOV.UK Verify service).

      We're working to understand the specific needs in relation to users who have a complaint or problem that can't be addressed within the federation of suppliers and government services. Many of these needs are already covered by existing regulatory bodies and systems, but we do need to ensure that the full range of needs is met and we will report here when we have news to share about our plans in this area.

      I hope that helps - we post fairly frequent updates on a wide range of issues and we'll continue to do so, including on many of these issues.

  3. Comment by Neil posted on

    Hi, just a query around the forecasted 90% success rate by April 16. Have you any data to suggest what the sucess rate will be for customers segmented by 'type'- specifically low income families- e.g. those claiming tax credits? Customer in this segment may not historically have had the neccessary documentation / credentials to be able to verify, which is referenced above- for example may not have being able to budget for a holiday abroad (i.e. don't have / need a passport) or those that can't afford the expense of a car / motorbike (hence don't need / have a valid driving licence photo card)- I'm interested in what the success rate forecasts are for this segment of customers is and whether having EITHER a passport (UK or not) OR a driving licence photo card (UK or not) will still be required in the future to verify through one of the existing or new verify providers because these have been the main 'blockers' in the first instance...

    • Replies to Neil>

      Comment by Janet Hughes posted on

      Hello Neil, thanks for the question.

      We and the certified companies are working hard to expand the demographic coverage of GOV.UK Verify so that we can meet the objective of increasing our demographic coverage to 90% by April 2016.

      At the start of our public beta, there was a limited range of ways to verify your identity - if you didn't have a passport, driving licence and credit history (eg a loan, mortgage or credit card), it would have been difficult or impossible for you to prove your identity through GOV.UK Verify. Since then, new methods have been introduced to make it possible for more people to use the service (because a wider range of evidence types can be used in an increasing range of different ways), and to make it more straightforward when you do so. But there is still more to do before we can reach our objectives for April 2016.

      One of the main constraints on our demographic coverage is the types of identity evidence that can be presented. To accept a particular piece of identity evidence, like a passport or driving licence, the certified company has to know that that type of evidence is valuable from an identity proofing perspective. This means there has to have been some identity proofing involved in the issuing of the document or record, so that it can be relied upon as identity evidence to an extent that meets the required standards. So, for example, being on a mailing list for a catalogue is not very valuable, whereas having a passport, driving licence or UK bank account is valuable. There is a range of types of valuable identity evidence not yet accepted by certified companies because they're not yet able to validate the evidence to the required standards. The range of evidence you can present will increase over time, as new ways of validating evidence become available and are introduced by suppliers between now and next April (and beyond). This is the basis of our plans to increase GOV.UK Verify's demographic coverage to 90% by April 2016 - we'll report on progress as we go along.

      We're also working with each service that's planning to use GOV.UK Verify, to make sure we understand as fully as possible the demographics of users of each service, what proportion of their users GOV.UK Verify will work for and what more we need to do to make sure it works for everybody. The more information services are able to give us (and to be clear, we are talking about aggregated, anonymised data about the overall profile of the population of users - not personal data about individuals), the more thoroughly we are able to understand and plan the necessary work.

      Finally, we are supporting work through the Open Identity Exchange to help identify and develop new data sources and methods. For example, OIX is working with Mobile Network Operators and UK banks to see if there are ways they can help validate evidence provided by users and verify their identity, based on user consent and in compliance with the identity assurance principles. You can read about this work on oixuk.org

  4. Comment by MarkK posted on

    Could you please provide the links? The profile at
    https://www.gov.uk/government/publications/identity-assurance-hub-service-saml-20-profile
    from
    https://www.gov.uk/government/collections/identity-assurance-enabling-trusted-transactions
    still appears to be the 2013 one.

    Does Verify claim to be 'low' or 'substantial' assurance under the EU implementing acts?

    • Replies to MarkK>

      Comment by Janet Hughes posted on

      Hi Mark

      The profile itself is the updated one, published on 7 August - the date on the page is the date of its first publication.

      GOV.Uk's status in relation to the implementing acts will be confirmed if and when we decide to notify GOV.UK Verify as a scheme under the Regulation. We expect this decision to be taken next year, and we'll report here when we have news to share about that.

      Thanks again,

      Janet

  5. Comment by MarkK posted on

    Whether UK notifies or not, any public service requiring at least 'substantial' (and one could reasonably assume there will be some) will be required to accept some foreign eIDs using the mandated minimum data set as set out in the annex to the eIDAS implementing acts. Ministerial commitments also suggest the UK leading a much wider interoperability than just that mandated by the EU. The matching data method described in the interface is predicated on using an address, which is not part of the mandated minimum, so registration would systematically fail. It would seem that every such service provider will be faced with a further major and costly fundamental change to their database (and security/error/fraud procedures) to provide an alternative approach in a relatively short timescale (2016 decision, 2018 implementation). eIDAS doesn't just refer to central government service, it will have implications for devolved public services as well.

    • Replies to MarkK>

      Comment by Janet Hughes posted on

      Hi Mark,

      We don't expect services to be in that position. The regulation requirements only apply to services that people outside the UK are actually entitled to use, which reduces the scope of the problem to some extent. Also, all the matching data (name, address, date of birth and gender if provided) is optional - we request that the certified company sends as much of it as they can verify at the required level of assurance. So in the case of an EU ID, we may receive an identity without an address. If the service is not able to match the user to the correct record (eg because an address has not been provided), they can use additional matching cycles (eg they can ask the user an additional question) or they can redirect the user to another channel or process to help them identify themselves to the service, as they would with a UK citizen in the same position. Also services can create new records for new users if there is no existing record for that user.

      Thanks again,

      Janet

  6. Comment by Ian posted on

    Are you able to provide any insight as to how GOV.UK Verify is funded? Is a payment made from government to the relevant company every time a digital identity is successfully created or used?

    Are there any plans to create tools to help people choose which identity provider to use? Where there are multiple suitable providers it's currently very hard to determine who to use.

    • Replies to Ian>

      Comment by Janet Hughes posted on

      Hi Ian, thanks for your questions.

      Certified companies are paid each time they successfully verify someone's identity at the required level of assurance and set up an account for the person to use to access government services. The person can then use their account to access any other service that has adopted GOV.UK Verify.

      If the account is still active after a year, the certified company is paid an annual fee to continue to maintain the account at the same level of assurance - this involves both ongoing checks to verify the identity, and ongoing maintenance of the account.

      Certified companies can decide how to fulfil the required published standards for identity assurance, and they each use different methods to do so. For example, it is possible with some certified companies to use non-UK passports as identity evidence, whereas others are not able to validate non-UK passports; and with one certified company you can authenticate without needing a mobile phone or tablet computer whereas for others you need to be able to use a mobile device. The certified companies are constantly developing their services to offer more, and more straightforward, methods for people to use, and to allow people to use a wider range of identity evidence to prove their identity. We expect the range of methods and approaches to continue to develop quite rapidly over the coming few months.

      We're constantly working to develop the way GOV.UK Verify works to make it as straightforward as possible for users. This includes looking at how we can clearly and effectively give users the information they need to make a choice between the available certified companies. To help you make a choice, GOV.UK Verify asks you a series of questions (such as what identity evidence or mobile devices you have to hand). This helps us narrow down the choice of certified companies to those that are likely to be able to verify your identity, given your answers to the questions.

      You can expect more changes as we continue to progress through our beta and we learn from users' feedback about their experiences of using the service. For example, we're currently working to establish what form the questions might take when we have 9 providers instead of 4 (by January 2016), based on the methods and approaches we expect the certified companies to be using at that point.