GOV.UK Verify allows you to choose a certified company to verify your identity. This federated model - with government setting the standards for identity assurance and certified companies responsible for developing and delivering services that meet those standards - is a brand new approach for the UK government.
Alastair Williamson-Pound, identity provider product manager for GOV.UK Verify, shares some of the challenges involved in working with 9 competing suppliers to deliver a new, standards-based service.
As GOV.UK Verify prepares to go live in April 2016, I’m working with our identity providers to ensure they’re ready to join GOV.UK Verify as certified companies under the new contractual framework. It’s an unusual role: applying generic web product management skills (guiding progress, understanding challenges and optimising output) but with a range of diverse companies as my ‘product’.
Rightly, GOV.UK Verify expects high standards from identity providers that are on their way to becoming certified companies. For example, you can read about how certified companies are assured as safe for people to use as part of GOV.UK Verify and the things those companies need to do to show their service is secure and meets user needs.
The identity providers are under pressure to create a service for users that complies with the standards government has set within an ambitious timeframe: we’ve given them one year to design, test and release a service that solves a complicated problem few others have yet solved. We recognise this and throughout the process they have my support, and that of the wider team here at GDS.
We recently blogged about the new methods some of the certified companies have introduced to give people more ways to prove their identity. These innovative methods allow people to prove their identity straightforwardly with fewer pieces of evidence. Even more methods will be available in the future (without any reduction in the standards required - they are simply using more advanced techniques to make it more straightforward for users to verify their identity within the same standards).
By providing our identity providers with a clear point of contact, they have an open line of communication to discuss any issues around the delivery of new solutions. Commercial sensitivities mean that much of this relationship relies on trust and impartiality. This is at the forefront of my mind when engaging with identity providers. For example, whenever I have any interesting information to share from GDS, I communicate it in general terms and share it with all identity providers at the same time to make sure we don’t give any special advantage to any individual supplier over the others.
Overcoming a variety of challenges
One of the most interesting aspects of working with such a diverse group of identity providers of different services with different backgrounds - from retail to security to finance - is gaining an understanding of the variety of challenges they face. Here are just a few we’ve come across so far.
Each provider brings different capabilities
Each provider has a different history and different capabilities, and all are learning and adapting quickly as they’re in competition with one another in a new market. This diversity is an important feature of our federated approach - it means that between them, the identity providers can provide many different combinations of ways to verify your identity so it’s more likely each user will find a way that works for them.
When you use GOV.UK Verify you’re asked some questions to see which company is likely to be able to verify your identity. You’re then shown the company, or a list of companies, and have the option to click through and read a short description of the identity provider. This is where the identity providers all have the chance to inform users about their unique history and capability.
As product manager, I need to be considerate of these differences, whilst maintaining impartiality and not favouring any supplier. This is where it’s important to put in place structured communications that are relevant, clear and meaningful to all identity providers, regardless of their background.
Understanding the demographics of service users
We’re designing GOV.UK Verify for everyone, not just people who are used to using the web, and it will be used across an increasing range of government services. The identity providers are having to consider the characteristics of the users of different services and the identity evidence they’re likely to hold.
As a result, the providers are each looking at ways of expanding their demographic coverage and making it more likely that each person who tries to verify their identity will be able to do so. In some cases they are focussing on putting in place technical solutions to make it easier for digitally confident users, in other cases the providers are looking to expand the range of types of evidence users can assert, including alternative types of evidence for users without the most common identity documents.
The team at GDS works with the providers to make sure that any new methods they want to introduce meet the required standards and will work effectively for users. Whereas in other parts of our work we might take a more fluid, agile approach, in this case we have a structured, sequential ‘gating’ process. We need to do this so we can be sure we have covered all the right considerations each time, and to make sure we treat all the providers fairly and consistently.
We are constantly learning as new methods are invented, adopted and developed and we need to find ways to effectively and efficiently assess them so that we don’t get in the way of certified companies’ innovation and competition.
Putting users first and constantly improving GOV.UK Verify
Certified companies are paid each time they successfully verify an identity, so there’s an incentive for them to build a simple, clear user journey and constantly improve their service to increase the proportion of users who successfully verify their identity when they try to do so.
The certified companies need to have high quality monitoring, research and reporting around their services to help improve their understanding of user experience. We also collect data that’s useful to the companies and can help stimulate improvement and investment.
We’re developing our approach to sharing performance data with the providers - we want to share as much as we can, but we can’t breach any individual provider’s commercial confidentiality. To strike the right balance, we share benchmarking / averages to help companies understand and improve their own performance. We also publish this data on the performance platform.
We try to take a collaborative approach to our relationship with the certified companies; we’ve procured against a set of standards rather than a specific set of solutions, and it’s in all our interests to constantly develop and improve GOV.UK Verify for users.
We’ve been learning together during our public beta and improving our collective ability to understand what’s working, what’s not, and how to continuously improve the service as a whole for users. It’s a complex task, because there are many different factors at play in each user’s journey so it can be hard to isolate specific problems and opportunities for improvement.
Achieving our ambitious targets for success and coverage will require us all to work and learn together in the context of a competitive market, pursuing the collective goals of increasing success and coverage whilst respecting each company’s need to develop and implement its own individual strategy.
So, what does it really take to be a certified company?
In my opinion, being a certified company involves much more than meeting standards for security and identity assurance. It involves being ready to rise to meet the challenges above head on.
Working with a range of competing identity providers means we see continuous innovation and investment. The identity providers have introduced new sources of data and new methods to make it easier for people to verify their identity, and we’re excited about their plans for more innovation over the coming months.
This adaptability - investing in working on a wide range of solutions that meet the needs of new demographics - and innovation resulting from competition will produce the highest gain, both for GOV.UK Verify’s users and for the certified companies.
To follow our work with identity providers, and receive update on GOV.UK Verify's development, subscribe to the blog.