Saturday, 28 May 2016

Government Gateway 1 - 0 GOV.UK Verify (RIP)


18 April 2016, RIP IDA – it tolls for thee:
In the lethal custody of the Department for Work and Pensions (DWP), the Government Gateway has been neglected for years. Now someone seems to have paid it a bit of attention. An innovation, it sent DMossEsq's mobile phone a one-time password when he logged in to take a look at his personal tax account.

We have suggested recently [1 April 2016] that the Government Gateway should be taken away from DWP and given to HMRC. Perhaps it has been.
24 May 2016, Don't tell the Cabinet Office: HMRC is building its own online ID system.

25 May 2016, HMRC plans extra authentication channel.


The Government Gateway has provided us all with on-line access to public services in the UK for 15 years and more. From its very inception, the Government Digital Service (GDS) decided to send this decent workhorse to the knacker's yard. Happy to destroy value like this, wantonly, the identity assurance committee at GDS promptly designed a camel, GOV.UK Verify (RIP).

Her Majesty's Revenue and Customs (HMRC) can't use GOV.UK Verify (RIP) to transact their business. It doesn't work. And as we now know, HMRC are designing a successor to the Government Gateway. Call it "G2".

Let's hope that when you open a G2 account you don't find that all your personal information is broadcast to a gaggle of companies you have barely heard of. Or never heard of. Companies like Equifax, ID Checker, Zentry LLC, Techmahindra Ltd and Expert Solutions Support Centre.

You wouldn't think it was necessary to say that to a responsible department of state. But that's exactly what happens, thanks to GDS, if and when you open a GOV.UK Verify (RIP) account using Verizon as your "identity provider". All these companies and more get your personal information, goodness knows where in the world they keep it and who has access to it, but one thing's for sure, you have no control over it.

If G2 works, will there be any point in retaining GOV.UK Verify (RIP)?

You may think that the matter is debatable. GDS do not. There's nothing to debate, according to GDS. There shouldn't be multiple systems all across government putatively doing the same job, GDS say. There should just be one. Anything else is wasteful and aesthetically displeasing. Whatever you think, GDS must regard G2 as the end of GOV.UK Verify. RIP.

----------

Updated 19.2.17

1 April 2016, DMossEsq suggests that the Government Gateway should be taken away from DWP and given to HMRC.

26 January 2017, whaddya know, you read it here first, the Government Computing website tell us HMRC readies replacement Government Gateway system for 2018:
HM Revenue and Customs (HMRC) has confirmed it has taken over responsibility to decommission the Government Gateway service with an eye to implement an in-house replacement solution intended to provide secure access to services for “business, agent and individual customers”.
The Government Digital Service (GDS) have always said they were creating a market in identity assurance. In the market, their service, GOV.UK Verify (RIP), has lost out to the Government Gateway. Given the choice, millions more people opt for the Government Gateway than for GOV.UK Verify (RIP). In the market, that would be the end of the story ...

... but this is a funny market:
... Cabinet Office will require other departments to use GOV.UK Verify [RIP] for any citizen-facing services where customers need to prove their identity,” said the department in a statement."
GDS believe they can force everyone apart from HMRC to use GOV.UK Verify (RIP):
  • Will the NHS play ball?
  • How about DWP?
  • Or Scotland?
  • They can't force Companies House to use it – uselessly, GOV.UK Verify (RIP) can't verify the identity of companies.
  • Local government? Will they put up with second best just to help hide GDS's shame? Why should they risk this imprudence? They might find themselves breaking the law if GOV.UK Verify (RIP) doesn't comply with the EU's General Data Protection Regulation (GDPR). And can local government afford to wait 400 years for GDS to be ready?
  • It only offers low-to-medium security, according to Government Computing (maybe not even that), and even its own supporters warn against wildly unrealistic expectations for GOV.UK Verify (RIP).
It has been suggested that GOV.UK Verify (RIP) could help with age-verification, c.f. the government's promise to make it hard for younger people to watch pornography on the web or to gamble or buy cigarettes.

How?

GOV.UK Verify (RIP) is only recommended for people over the age of 20:

Step #8 in the "user journey" you undertake when you try to register with GOV.UK Verify (RIP)

That last question will remind the alert reader – what about eIDAS?

Good question.

eIDAS is the EU's regulation on inter-operable identity management, one country's electronic IDs being accepted by another's. GOV.UK Verify (RIP) doesn't comply. Not good enough for HMRC, GOV.UK Verify (RIP) isn't good enough for other countries either. Why should it be good enough for Warwickshire? Or Brighton and Hove?

No comments:

Post a Comment