https://identityassurance.blog.gov.uk/2015/10/20/making-gov-uk-verify-available-to-more-people/

Making GOV.UK Verify available to more people

We want to make sure that the people who are expected to use GOV.UK Verify can do so. Our target for demographic coverage by ‘live’ is 90%.

When we set that objective back in March 2015, GOV.UK Verify could only cover about 65% of the UK adult population. Since then, our demographic coverage has increased to 80%. Here we share some of the latest developments that mean more people are able to use GOV.UK Verify to access government services online.

When you use GOV.UK Verify, a certified company of your choice asks you for evidence to prove your identity, and carries out a range of other checks to verify that it’s really you and not someone pretending to be you.

Certified companies can validate different types of identity evidence

At the start of our public beta, it was only possible to verify your identity if you had a passport, a driving licence and a credit card or loan. You also had to answer questions based on your credit history. This meant our demographic coverage was limited to those with a photocard driving licence issued in Great Britain, a UK passport, and a credit card or loan.

The certified companies have been building and adopting new methods to give people more ways to prove their identity and extend the demographic coverage of GOV.UK Verify. For example, because of advances in the way certified companies are able to validate identity evidence, it’s now possible to verify your identity using a wide range of identity evidence, including any passport, any EU identity document, and any bank account or payment card.

Certified companies are now able to validate a wider range of payment cards, so that people can use them as identity evidence. Previously, certified companies relied mainly on checking details provided by users against credit reference agency files. They can now use methods developed for online payments to check an electronic payment card directly with the issuing authority. This means that their coverage of payment cards is higher, because almost all types of card that can be used as identity evidence can be validated in this way.

You don’t need as much evidence to prove your identity

Whereas previously you would often need 3 pieces of evidence to prove your identity, now  you will often only need 2 pieces of evidence. This is because certified companies have developed stronger ways to validate each piece of evidence, so they can reach the required level of confidence that the identity really exists with fewer different pieces of proof.

You can take a photo of yourself instead of answering questions based on credit history

Certified companies have to establish that the identity you’re asserting really belongs to you. At the start of our public beta, certified companies did this by asking you questions only you are likely to know they answer to, based on credit reference agency files. So as part of the process of verifying your identity, you would have to answer questions about credit cards, loans or mortgages in your name.

Now, GOV.UK Verify also works for people who don’t want or aren’t able to answer questions about their loans, credit cards or mortgages, or who don’t have enough financial products on their credit file to serve as a basis for security questions.

If you have a smartphone or tablet and a UK passport, you can now - with 2 of the companies - verify your identity without answering questions about your credit history. Instead, you can use an app to scan your identity document and take a photograph of yourself, so the images can be compared. The certified companies built this capability for GOV.UK Verify, to give more options for users and make it more straightforward for more people to use GOV.UK Verify to access services.

More ways to sign in - you no longer need a mobile phone

Certified companies are required to give users a strong credential, including a second step to protect you against your credentials being stolen or compromised. The second step means that even if someone steals your username and password, they can’t easily use them because they aren’t able to complete the second step.

At the start of our public beta, the only way to complete the second step was to receive an SMS code on your mobile phone. This meant that to use GOV.UK Verify, you needed to have a UK-registered mobile phone and be somewhere with a mobile phone signal, so you could receive a code by text message each time you signed in using GOV.UK Verify.

Now, when you sign in to a service using GOV.UK Verify, you can now choose to use an app to generate a security code or to receive a security code on your landline phone, rather than waiting for a text to arrive, so you don’t need a mobile phone or to be in an area with a mobile phone signal. This means more people are able to use GOV.UK Verify’s secure sign-in credentials.

What’s next?

The next three months will be an exciting time for GOV.UK Verify. Our existing certified companies will be continuing to improve and expand their services, and new certified companies will be joining the service, each bringing their own combination of methods and approaches.

6 comments

  1. Comment by Steve posted on

    The link to 'How we're working to increase the range of data sources available for GOV.UK Verify' doesnt work

  2. Comment by MarkK posted on

    It's now three months on, and not all of the proposed providers are tScheme applicants, indeed none seems to be approved and online. The new data sources to be announced 'soon' in 2014 haven't been. No update of any sort was provided at this month's OIX meeting (today). There is no recruitment for Ombudsman and staff. Could we please have an update on delivery plans/gates?

    • Replies to MarkK>

      Comment by Rebecca Hales posted on

      Hi Mark

      As we have previously mentioned on the blog, the new certified companies will connect before GOV.UK Verify goes live in April so they - along with the variety of data sources and methods of verification they bring - will be joining us soon.

      Regarding tScheme accreditation, the certification process for certified companies is described here:

      https://identityassurance.blog.gov.uk/2014/12/11/what-it-means-to-be-a-certified-company/

      All of the companies will have been audited before they are able to connect. The final stage will be an audit to check that the service is operating correctly. This can only be done once the service is connected.

      All certified companies are obliged to implement a complaints process, which is reviewed by GDS as part of their onboarding. We think the current arrangements for dispute resolution are adequate based on what we've learned so far and at this time we do not expect to need to recruit an individual to fulfil that function. However, we are doing some work on this now to review the dispute resolution arrangements ahead of going live. When we have more news to share, we’ll post it here.

  3. Comment by MarkK posted on

    The anonymity designed into this system means that neither a person whose identity has been usurped nor the government service provider(s) has any idea which (or how many) of the providers is making this false positive and allowing someone else to masquerade as them. The privacy principles are clear that there needs to be someone to whom they can turn for help to correct such errors. Based on the levels of falsely issued passports, you should be expecting tens of thousands of such cases (including some malicious false claims), and the data protection challenges are significant. Perhaps a system-level privacy impact assessment will make it all clear.

    • Replies to MarkK>

      Comment by Rebecca Hales posted on

      Hi Mark

      GOV.UK Verify is designed to help protect users against identity fraud. The identity proofing standards (https://www.gov.uk/government/collections/identity-assurance-enabling-trusted-transactions) which all certified companies are contractually required to meet have been designed to take into account risks like this.

      For Level of Assurance 2 the certified companies have to meet 5 different elements. These elements are designed to mitigate the risks you mention as well as a range of other risks to give a high level of assurance. For elements A and B (validated evidence that the identity exists), the certified company never relies on a single piece of identity evidence and performs rigorous checks against the evidence provided.

      If an individual experiences problems then they can, in the first instance, raise concerns with a certified company. People can also contact the Cabinet Office directly for support and help in resolving issues.