We need to make sure that GOV.UK Verify is protected against rapidly developing fraud and information security risks, to protect people's privacy and security. There are a range of ways we do this - this post is about the work we do to set guidance on how a government identity assurance system like GOV.UK Verify should work (the standards are generic, not specific to GOV.UK Verify).
Setting good practice standards
Experts in the GOV.UK Verify team have helped create the good practice guidance for identity proofing and verification and online authentication for UK government digital services - these documents are jointly published by Cabinet Office and CESG, The National Technical Authority for Information Assurance.
The good practice guides have been designed to mitigate a range of specific identity fraud risks. We keep the good practice guides constantly under review, and update them regularly to make sure they reflect the evolving and changing nature by which identity fraudsters look to undertake their criminal behaviour. This includes working across government and with law enforcement partners who have a current understanding of the potential threats to the delivery of online services.
GOV.UK Verify has been built to meet these standards, as we explained in this post that sets out what GOV.UK Verify certified companies have to do to verify someone's identity.
Working with international organisations on standards
In developing the good practice guidance for identity assurance, we work with organisations in the public and private sector in the UK, Europe and internationally to make sure that the standards we develop for the UK remain relevant for the UK and in an international context and continue to be effective in mitigating rapidly developing threats and risks.
This work covers identity proofing and verification, authentication, and biometric standards in the EU (with the European Electronic identification and trust Services Regulation) and internationally (with the International Organisation for Standardisation).
Assessing methods and data sources used by certified companies
The team is involved in the process certified companies go through to join GOV.UK Verify, advising them and assessing their proposed solutions to ensure that the service that they deliver meets the needs of our users in line with the required standards and good practice guides.
For example, we provide expert advice on how specific sources of data or pieces of identity evidence may be used within the standards to achieve the required level of identity assurance for GOV.UK Verify.
Certified companies are working to introduce more innovative ways to prove your identity through GOV.UK Verify. We expect this trend to continue and increase as more certified companies join GOV.UK Verify and the UK’s economy around identity services evolves. We are constantly developing our capability to assess the performance and security of new data sources and methods before they are implemented, to make sure they meet the required standards and are safe and secure for users.
If you’re one of the few people in government who is working on these issues and not already in touch with us, please do email us and we'll be happy to talk about how we can work together.