What is identity assurance?

801

Identity assurance is a new service that will give people a secure and convenient way to sign in to government services.

Why we need identity assurance

The 25 exemplar services (the government services that make up the digital transformation programme) will make it possible to do a range of things you can’t easily do online now; like register to vote, view your driving record or tax details, apply for an apprenticeship and manage your student loan.

When you use these services, you want to be confident that someone else can’t sign in pretending to be you, see your sensitive personal records or use your identity to make fraudulent claims. You want to be confident that your data and services are secure and your privacy protected.

The government departments providing these services need to verify your identity to make sure the right people are accessing the right information. That’s why we’re building the identity assurance service.

How we will provide user choice, control and privacy

When you’re using digital services you want to be sure that your privacy is being protected and your data is secure.

We’ve been working for the last three years with our Privacy and Consumer Advisory Group to help make sure we’re designing a service based on user choice, control and privacy.

Last summer the group published a draft set of identity assurance principles to make sure the service is designed and operates in a way that is transparent, protects your privacy and gives you control over how your data is used. We will  be publishing a document in the next few weeks explaining in detail how we’ve designed the service to reflect the principles.

Who will verify your identity

When one of these digital services needs to verify your identity, you’ll be directed to a page on GOV.UK where you’ll be asked to register with an identity provider. If you’ve already registered, you can just sign in.

Identity providers are organisations paid by the government to verify people’s identity so they can sign in securely to government services. Identity providers will have to meet industry security standards and identity assurance standards published by the Cabinet Office and CESG (the UK’s national technical authority).

There are currently 5 identity providers – Digidentity, Experian, Mydex, the Post Office and Verizon – eventually there will be more. You can choose to register with more than one of them, and you can stop using an identity provider at any time.

Why we’re using identity providers

There are 5 main reasons why we’re using identity providers rather than doing this work within government:

1. user choice – you will be able to choose your identity provider(s) and stop using a provider if you want

2. no centralised identity database – instead, to protect users’ privacy, each identity provider will be responsible for securely and separately holding data about the users that have registered with them. Each government department service will only have access to the data it needs.

3. security – using several identity providers is more secure and less vulnerable; there is no single point of failure and no single service that holds all the data in one place

4. developing a market – we’re giving identity providers freedom to design services to meet the standards. This will allow them to develop services that can be used by the wider public and private sector, which will help to reduce costs.

5. making the most of available technology – the technology and methods for identity verification are constantly evolving; specialist private sector organisations are better placed than government to keep up with these developments

Identity providers will have to operate according to strict security and operations standards, to protect users’ security and privacy and to make sure the required standards are met.

How the identity assurance process works

Your chosen identity provider will ask you for some information that helps establish that you are who you say you are. No single piece of information is sufficient to achieve the required standards; they will need to ask you for a range of information.

Identity providers will check to make sure information you’ve provided is valid and genuine. Your chosen provider will be able to send your passport and driving licence details to the government agency that issued them to ask if they match a valid record. Identity providers will also be able to check databases of known fraudulent documents, including police databases. They won’t have access to confidential information held about you by other government services. They can check other records they have access to from within the private sector, like information from credit reference agencies.

One of the benefits of the new service is that most people will be able to complete the registration process online, without having to wait for documents or instructions to be sent in the post as happens with existing services like Government Gateway.

We’re working with the identity providers to make sure that people who don’t have specific official documents like a passport or driving licence will still be able to achieve the required level of assurance through other means.

Once the identity provider has verified your identity, you will be given a secure means of signing in.

Different levels of assurance for different services

Some services don’t need to know who their users are. If you want to order a document, the service provider only needs to know where to send it. Other services will need to be more confident that you are who you say you are; for example, if you’re going to be able to see sensitive personal details, or make a claim for payment.

Each service will assess risks by considering things like whether sensitive data can be seen and whether money transactions take place, in order to decide what level of identity assurance they need.

The guidance on how to assess risks to online services is published on GOV.UK.

Identity assurance will initially be available for services that need to be confident that a user is who they say they are to ‘level of assurance 2’ according to the published guidance. This is a moderate level of security, more than just a basic check, and enough to be able to access quite a big range of services.

What’s next

By March 2014, we will be in private beta and the first users will be able to use identity assurance to sign in to a government service. The private beta is the first version of the service, available to a small number of selected users so we can test and develop it further.

The private beta will initially include two exemplar government digital services – HMRC’s PAYE and DVLA’s view driving record service. These services will use identity assurance to allow about 2,000 users to sign in securely. We’ll use the private beta to learn from our first users’ experiences and continue to develop the service. From April onwards, we’ll start adding more services and more users.

We’ve been blogging about our work on the GDS blog and more recently on our own identity assurance programme blog. We’ll be producing a lot more posts over the coming weeks and months; looking at different aspects of the service, sharing what we learn from the private beta, reporting on our ongoing user research and hearing your feedback.

We have a range of topics we’re planning to post about, and we’re keen to answer questions like the ones Paul Clarke posed in his recent post. If you have any issues you want us to cover please let us know.

Follow Janet on Twitter and don’t forget to sign up for email alerts.


You may also be interested in:

Identity Assurance: First delivery contracts signed

Advisory group publishes identity assurance principles for consultation

Identity Assurance: Maintaining Good Practice