GOV.UK Verify certified companies must check a range of evidence to establish that it's really you when they verify your identity for the first time. There are 5 elements involved to confirm the person they are verifying is associated with the identity they are trying to verify. These elements are a part of our Identity Proofing and Verification (IPV) standards (detailed in our Good Practice Guide 45).
There are a variety of ways to meet the requirements of these 5 elements. This blog post focuses on the requirements of Element C (which establishes a link between a person and their identity), the methods currently available to do this and how the private sector is helping us prepare for the future. More specifically, we’ll be looking at one of the most common ways of attaining Element C verification: knowledge based verification (KBVs).
Knowledge based verification - where are we now?
Knowledge based verification (KBV) involves asking the user a range of questions only they would know the answer to. In the GOV.UK Verify journey, the certified company can generate these questions from a range of data sources. The certified company then sees if the user’s answer matches with the data that’s held on their records relating to that claimed identity.
Although KBVs are not the only method GOV.UK Verify’s certified companies use to meet the Element C requirement, they are commonly used. However, there are further innovative data sources and methods currently being explored in the private sector that would be both secure and convenient for GOV.UK Verify users.
Therefore, we are working with the Open Identity Exchange (OIX) to launch a new project with the aim to identify other methods that also meet the KBV requirement of Element C for the Verify federation. We are inviting the market to submit a proposal to help us explore what alternative, additional or complementary data sources are being used in the market for KBVs.
Safeguarding our users’ identities
We are committed to continually improving our users’ experience whilst also keeping their identity secure. Effective KBVs require a balance between making the questions difficult enough that imposters can’t guess the answers, but not so hard that the owner of the identity cannot answer the questions themselves.
Therefore, when it comes to improving our protection against identity fraud for users, the solution isn’t as simple as merely making KBV questions harder. Identity fraud is a fluid and ever-changing threat and we’re always looking at how to help keep our users secure.
Our joint project with OIX is therefore focussed on being proactive when it comes to developing threats, so we’re seeking more sophisticated solutions from the market now.
New solutions must meet the same requirements KBVs do in the Good Practice Guides. So, proposals should consider that:
- A user’s information needs to be (reasonably) private and hard for a fraudster to find out. To solve this we need to explore new data sources that are not commonly used elsewhere, and try to ask questions of people that they do not normally discuss publicly online. Greater use of dynamic questions (based on data that isn’t old) will help too because the data they are based on must vary often, making it difficult to predict and limits the usefulness of compromised data.
- They prevent imposters from using the service if they have stolen identity documents, such as from a stolen wallet or a dump of information from a previous cyber attack. This means we need multiple sources of data and to react to leaks from cyber attacks worldwide.
- Certified companies need to have data and methods to ensure criminals can’t easily access other people’s accounts. For example, organised cyber gangs may attempt to familiarise themselves with answers to KBV questions through large scale and repeated attacks.
As the technology and methods behind identity theft grow, we too iterate and develop our own ones to tackle this threat.
Achieving a straightforward yet secure user experience that improves upon what KBVs currently provide, requires collaborative innovation from the market. We’re asking companies or other organisations to get involved and share existing solutions or ideas that meet Element C requirements.
Our joint project with OIX aims to help us understand what alternative, additional or complementary data sources are currently being used, or could be created, in the market so we can explore their viability within the Verify federation.
If you’re interested in hearing more about the project, or to submit a proposal to improve KBVs, please visit the OIX website.
Subscribe to the blog to keep up to date on how we are improving GOV.UK Verify.
Comment by MarkK posted on
How can the holders of the personal information possibly provide it (or even respond to a check) for purposes other than that for which it was collected, or use it to respond to queries from people whose identity - by definition - you have not yet established and thus from whom you have no consent to demonstrate to the data controllers?
There may be case-by case over-rides of the principles in DPA (and GDPR) for fraud investigation and for emergencies, but neither of these applies for the general case. What is the legal basis for the envisaged sharing?
Comment by Emily Ch'ng posted on
Thanks for your questions. These are certainly the kind of considerations that are a core part of the evaluation process for this project. The actual conditions will be heavily dependent on the proposals brought forward.
You can check in on the OIX website to keep up to date with how the project is progressing, as all our OIX projects are run openly and transparently.