https://identityassurance.blog.gov.uk/2015/12/14/the-basis-of-trust-for-eu-identity-assurance/

The basis of trust for EU identity assurance

GOV.UK Verify has a part to play in making online public services more efficient and more secure across the European Union. This blog post is part of our series discussing the EU approach to identity assurance and is for anyone interested in developments in this area.

Last month we blogged on the EU approach to identity assurance and how EU countries’ identity assurance systems will work with each other. This post is about the approach to establishing trust between different national systems that supports that method and allows the overall system to work.

This trust is based on two things: outcome-based levels of assurance and a notification / peer review process.

European levels of assurance

The identity’s ‘level of assurance’ is a way of describing the degree of confidence the identity provider has that a user is who they say they are. The agreement between Member States on a common definition of these various levels of assurance means that for the first time, there is clarity across Europe about how to measure how sure an identity provider is about the identity of a citizen. In the UK, we will comply with these rules by mapping our levels of assurance against those detailed under the Regulation.

These European levels of assurance are ‘outcome based’. This means that each Member State can meet the required level in different specific manners, according to their national laws and preference. For example, a high level of assurance may include a requirement to perform counter fraud checks, but the legislation does not detail exactly how these checks should be done.

The ability of Member States to meet these level of assurance requirements in any way they deem fit strongly supports GOV.UK Verify’s approach of having several companies all working to the same standards. It also means digital service providers can be confident users have proved their identity to the same level, whatever system they’re using.

Notification and the peer review process

But how do we know we can trust the digital identity systems of other Member States? The answer to this is through the formal notification and peer review process that has been agreed across the EU.

Before a Member State’s digital identity scheme can be used to prove an identity in another country, the scheme must be officially ‘notified’. This process requires the Member State running the digital identity scheme to explain to other Member States the details of how the scheme works - this process is outlined in this piece of EU legislation on notification.

Once a scheme has been notified, other Member States will conduct a peer review of the notified scheme. They will analyse the notified scheme to ensure it complies with the interoperability framework and meets the required levels of assurance. After the peer review process the scheme can link up to the system of national nodes and start to transfer identity information when a user wants to access a service across borders. Our recent blog on the EU approach gives an overview of what this means.

The UK will be involved in these peer review processes to help ensure that the digital identity schemes of other Member States meet the required levels of assurance, and to share insights that may inform the development of GOV.UK Verify.

The decision on whether to notify GOV.UK Verify will require careful analysis. We’re currently considering the risks and benefits of doing so. When a decision has been made and we have a plan in place, we’ll publish an update on the blog.

For the latest news on GOV.UK Verify and the EU approach to identity assurance subscribe to the blog.

2 comments

  1. Kenneth MacArthur

    "The decision on whether to notify GOV.UK Verify will require careful analysis."

    This is disappointingly unenthusiastic! After all these excellent blog posts explaining the EU's approach to identity assurance, it would seem bizarre if GOV.UK Verify wasn't notified.

    Why not say, "It is our intention to notify GOV.UK Verify in due course, and we are currently examining any risks of doing so and how to mitigate these"?

    Link to this comment
    • Luke Reynolds

      Hi Kenneth, thanks for your comment. It’s good to hear that you’re as enthusiastic about GOV.UK Verify as we are.

      Over the last few years, we have worked carefully with our partners in the EU to ensure a European approach to identity which works with what we’re doing in the UK with GOV.UK Verify (a federated approach with outcome based assurance levels).

      Now that the rules are in place, we can make a fuller analysis of the risks and benefits of notification. For example, in order to make such a decision, further consideration is needed of how to ensure an effective user journey for someone hoping to use GOV.UK Verify abroad under eIDAS.

      We remain positive about doing that work, and are running a discovery inside the programme in early 2016 to give further consideration to these questions. However, it wouldn’t be right to commit to notifying GOV.UK Verify under eIDAS without doing that thinking.

      Link to this comment