https://identityassurance.blog.gov.uk/2015/12/03/working-with-identity-providers-as-they-become-certified-companies/

Working with identity providers as they become certified companies

GOV.UK Verify allows you to choose a certified company to verify your identity. This federated model - with government setting the standards for identity assurance and certified companies responsible for developing and delivering services that meet those standards - is a brand new approach for the UK government.

Alastair Williamson-Pound, identity provider product manager for GOV.UK Verify, shares some of the challenges involved in working with 9 competing suppliers to deliver a new, standards-based service.


As GOV.UK Verify prepares to go live in April 2016, I’m working with our identity providers to ensure they’re ready to join GOV.UK Verify as certified companies under the new contractual framework. It’s an unusual role: applying generic web product management skills (guiding progress, understanding challenges and optimising output) but with a range of diverse companies as my ‘product’.

Rightly, GOV.UK Verify expects high standards from identity providers that are on their way to becoming certified companies. For example, you can read about how certified companies are assured as safe for people to use as part of GOV.UK Verify and the things those companies need to do to show their service is secure and meets user needs.

The identity providers are under pressure to create a service for users that complies with the standards government has set within an ambitious timeframe: we’ve given them one year to design, test and release a service that solves a complicated problem few others have yet solved. We recognise this and throughout the process they have my support, and that of the wider team here at GDS.

We recently blogged about the new methods some of the certified companies have introduced to give people more ways to prove their identity. These innovative methods allow people to prove their identity straightforwardly with fewer pieces of evidence. Even more methods will be available in the future (without any reduction in the standards required - they are simply using more advanced techniques to make it more straightforward for users to verify their identity within the same standards).

By providing our identity providers with a clear point of contact, they have an open line of communication to discuss any issues around the delivery of new solutions. Commercial sensitivities mean that much of this relationship relies on trust and impartiality. This is at the forefront of my mind when engaging with identity providers. For example, whenever I have any interesting information to share from GDS, I communicate it in general terms and share it with all identity providers at the same time to make sure we don’t give any special advantage to any individual supplier over the others.

Overcoming a variety of challenges

One of the most interesting aspects of working with such a diverse group of identity providers of different services with different backgrounds - from retail to security to finance - is gaining an understanding of the variety of challenges they face. Here are just a few we’ve come across so far.

Each provider brings different capabilities

Each provider has a different history and different capabilities, and all are learning and adapting quickly as they’re in competition with one another in a new market. This diversity is an important feature of our federated approach - it means that between them, the identity providers can provide many different combinations of ways to verify your identity so it’s more likely each user will find a way that works for them.

When you use GOV.UK Verify you’re asked some questions to see which company is likely to be able to verify your identity. You’re then shown the company, or a list of companies, and have the option to click through and read a short description of the identity provider. This is where the identity providers all have the chance to inform users about their unique history and capability.

As product manager, I need to be considerate of these differences, whilst maintaining impartiality and not favouring any supplier. This is where it’s important to put in place structured communications that are relevant, clear and meaningful to all identity providers, regardless of their background.

Understanding the demographics of service users

We’re designing GOV.UK Verify for everyone, not just people who are used to using the web, and it will be used across an increasing range of government services. The identity providers are having to consider the characteristics of the users of different services and the identity evidence they’re likely to hold.

As a result, the providers are each looking at ways of expanding their demographic coverage and making it more likely that each person who tries to verify their identity will be able to do so. In some cases they are focussing on putting in place technical solutions to make it easier for digitally confident users, in other cases the providers are looking to expand the range of types of evidence users can assert, including alternative types of evidence for users without the most common identity documents.

The team at GDS works with the providers to make sure that any new methods they want to introduce meet the required standards and will work effectively for users. Whereas in other parts of our work we might take a more fluid, agile approach, in this case we have a structured, sequential ‘gating’ process. We need to do this so we can be sure we have covered all the right considerations each time, and to make sure we treat all the providers fairly and consistently.

We are constantly learning as new methods are invented, adopted and developed and we need to find ways to effectively and efficiently assess them so that we don’t get in the way of certified companies’ innovation and competition.

Putting users first and constantly improving GOV.UK Verify

Certified companies are paid each time they successfully verify an identity, so there’s an incentive for them to build a simple, clear user journey and constantly improve their service to increase the proportion of users who successfully verify their identity when they try to do so.

The certified companies need to have high quality monitoring, research and reporting around their services to help improve their understanding of user experience. We also collect data that’s useful to the companies and can help stimulate improvement and investment.

We’re developing our approach to sharing performance data with the providers - we want to share as much as we can, but we can’t breach any individual provider’s commercial confidentiality. To strike the right balance, we share benchmarking / averages to help companies understand and improve their own performance. We also publish this data on the performance platform.

We try to take a collaborative approach to our relationship with the certified companies; we’ve procured against a set of standards rather than a specific set of solutions, and it’s in all our interests to constantly develop and improve GOV.UK Verify for users.

We’ve been learning together during our public beta and improving our collective ability to understand what’s working, what’s not, and how to continuously improve the service as a whole for users. It’s a complex task, because there are many different factors at play in each user’s journey so it can be hard to isolate specific problems and opportunities for improvement.

Achieving our ambitious targets for success and coverage will require us all to work and learn together in the context of a competitive market, pursuing the collective goals of increasing success and coverage whilst respecting each company’s need to develop and implement its own individual strategy.

So, what does it really take to be a certified company?

In my opinion, being a certified company involves much more than meeting standards for security and identity assurance. It involves being ready to rise to meet the challenges above head on.

Working with a range of competing identity providers means we see continuous innovation and investment. The identity providers have introduced new sources of data and new methods to make it easier for people to verify their identity, and we’re excited about their plans for more innovation over the coming months.

This adaptability - investing in working on a wide range of solutions that meet the needs of new demographics - and innovation resulting from competition will produce the highest gain, both for GOV.UK Verify’s users and for the certified companies.

To follow our work with identity providers, and receive update on GOV.UK Verify's development, subscribe to the blog.

6 comments

  1. Comment by MarkK posted on

    Those of us who read the terms and conditions have a less than positive user experience trying to sign in.
    With no picture driving licence, the only option identifies itself as
    "Experian Information Solutions, Inc." (US)
    whose privacy statement says
    The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area
    ...you will not be permitted to cancel the Identity Service under the Consumer Protection (Distance Selling) Regulations 2000.
    All communications between us will be conducted in the English language.
    you may have the right to refer your complaint, free of charge, to the Financial Ombudsman Service.
    We will not notify you individually of any changes in these Terms and Conditions. It is therefore important that you check these Terms and Conditions regularly and in particular on each occasion when you use the Identity Service.

    Those with a picture licence can use
    https://auth.digidentity.eu/terms_and_conditions/gb at Waldorpstraat 17 P in (2521 CA) The Hague
    You enter into a contract with us as soon as you apply for an identity account on our website, irrespective of whether and when the identity account is activated
    The contract entails obligations of effort for us and shall not be interpreted so as to include an obligation of result for us.
    we may compare and check your data to any database (public or otherwise) to which we have access.
    your personal data will be processed according to the Dutch personal data protection act
    our liability shall be limited to the usual and foreseeable damages with a maximum of € 500,-. We shall not be held liable for any business damages, if you have used the identity service in your capacity as a consumer.
    The contract and the terms and conditions are governed by Dutch law

    Or https://auth.myprofile.postoffice.co.uk/register whose certificate is signed by...
    CN = Digidentity Organisatie CA - G2 O = Digidentity B.V. C = NL

    http://www.postoffice.co.uk/terms-of-use is generic for the post office, not specific to verify.
    We may change our Privacy Policy from time to time. Any changes will be published on our website which can be accessed at any time.
    Curiously, Rydwi wedi darllen a deall telerau ac amodau Post Office. "I have read and understood" points to the English terms and conditions.

    Dewiswch enw defnyddiwr helpfully explains that
    Your username can only contain letters, numbers and dashes
    Your username must contain at least 6 characters

    However, http://www.tscheme.org/directory/formerregapps.html
    shows that Post Office has withdrawn from getting tScheme approval.

    Lastly, https://securemylogin.co.uk/profile/register?execution=e1s1
    is showing as being in L = Basking Ridge ST = New Jersey C = US
    offers no terms and conditions nor privacy statement and no indication how it can comply with UK data protection law.

    FAQ offers
    5.5. Is my Verizon account available in other countries besides UK.
    You can access UK Government services from other countries but some locations may be blocked for security reasons.

    • Replies to MarkK>

      Comment by Janet Hughes posted on

      Hi Mark

      Thanks for these comments.

      The providers are introducing new methods, and new providers are joining, between now and April. That means there will be a wider choice of providers able to verify your identity using a range of methods and types of identity evidence.

      We'll look into the specific issue you've raised about Welsh and English language in the Post Office terms and conditions - thanks for pointing that out.

      Post Office uses the same system as another provider which has been t-Scheme certified. We've agreed that there is no need for a second certification of the same system unless and until Post Office introduces anything that is different in its system for verifying identities, in which case that would need to be separately certified.

      The providers are all refreshing their terms and conditions as part of their transition to the new contractual framework so you can expect to see some changes in the coming weeks.

      Thanks again,

      Janet

  2. Comment by Mark A posted on

    So - a general question.

    With a Windows phone I tried to apply for verification bit could only use the non smart phone route. Why is Windows not supported?

    I tried two certified companies. In both sets of knowledge questions I failed, although the answers I gave were correct to my current knowledge (although whether they were correct at the time the assurance provider got the data from the relevant financial institutions I don't know).

    Finally, and most worryingly, I applied for a credit card and they required certified proof of identity (something I have NEVER been asked for before trying to verify). So my specific question is, has trying to verify and failing left me worse off in identity assurance terms than if I simply had not bothered?

    Thank You

    • Replies to Mark A>

      Comment by Rebecca Hales posted on

      Hi Mark

      Thanks for getting in touch.

      GOV.UK Verify is in public beta, which means it's being constantly expanded and improved based on user feedback. Each of the certified companies are developing their own solutions and, currently, the two biggest operating systems are supported. There's option to receive security codes via landline or SMS, or to verify without using an app, if your smartphone is not supported.

      Certified companies use your credit reference file to create questions the answer to which only you are likely to know. If your balances or details have changed recently, the information on your credit reference file may not yet have been updated. You may wish obtain a copy of your credit file to check for any errors or out of date details. You can do this by contacting an online credit reference agency.

      Using GOV.UK Verify won't have left a mark on your credit file or affected your record. There will be what’s called a ‘soft marker’ left on your credit file, showing that the certified company referred to it for the purposes of verifying your identity. The marker will only be visible to you, not to those checking your file, and won’t affect your credit rating.

  3. Comment by MarkK posted on

    The impression has been given that not only are the IdPs independent of Government (if we ignore the Post Office's shareholder), but also of each other. That isn't the case; terms and conditions and public announcements indicate that Barclays uses Verizon, Royal Mail uses CitizenSafe, and the Post Office uses Digidentity. So if a user signs up for one and a spare (as the multiplicity principle recognises as a legitimate thing to do), the taxpayer pays twice yet the user gets no added benefit if an outage in one takes down the other, as verifystatus.digital.cabinet-office.gov.uk indicates happened on 17th and 22nd March.
    Presumably it's not entirely brand engineering, but it does appear unfair on the other providers that some underlying services appear twice.

    • Replies to MarkK>

      Comment by Rebecca Hales posted on

      When you need to prove who you are in order to access a service on GOV.UK, you can choose who you’d like to verify you from a list of certified companies, all of which are separate from government. A Certified Company is a private company that works to stringent industry and government standards when they verify your identity.

      The data sources and method of verification is up to the certified company and while, as explained in their terms and conditions, some companies currently use the same data sources, all of the services will be improved and expanded in future meaning that users will benefit from an increasing number of ways to prove who they are, securely and straightforwardly and entirely online.

      While there is some re-use of services, this is limited contractually under Framework 2 and, as such, the exposure is limited. The contract ensures that an outage in one supplier will never affect more than a minority of the certified companies.