Saturday, 9 July 2016

RIP IDA – openness closes as Verizon bolts again and penetration becomes a mystery

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
The Government Digital Service (GDS) continue to promote GOV.UK Verify (RIP) to central government departments, local government and the private sector.

GOV.UK Verify (RIP) has its own dashboard on the GOV.UK performance platform. Yesterday, GDS published a blog post, Improving our reporting, announcing certain changes to the dashboard.

Openness
The GOV.UK Verify (RIP) dashboard has always listed the "identity providers" contracted to GDS. In the name of "improving our reporting", that list has been dropped. Its omission is not mentioned in the Things we’ve removed section of yesterday's blog post.

Why not?

Possibly because GDS have lost one of their "identity providers". Verizon have gone missing again. If you tried to create a GOV.UK Verify (RIP) account for yourself at 00:30 this morning you were advised by GDS that "3 companies can verify you now" – digidentity, Experian and the Post Office. You were also advised that "we’ve filtered out 4 companies, as they’re unlikely to be able to verify you" – Barclays, CitizenSafe, the Royal Mail and SecureIdentity.

What confidence can central and local government and the private sector have in GOV.UK Verify (RIP) when GDS themselves tell applicants that only three of their "identity providers" work? And when GDS fail to make an announcement that one of their "identity providers" has gone missing.

Penetration
GDS have always maintained that their objective is for GOV.UK Verify (RIP) to be capable of registering at least 90% of the population. That was one of their conditions for declaring GOV.UK Verify (RIP) to be "live".

The goalposts were moved in May 2016 when GOV.UK Verify (RIP) was declared "live" even though the account creation success rate still languished 20% adrift on about 70%.

The goalposts have now been entirely removed – "We’ve taken 3 measures off the service dashboard: ‘Authentication success rate’; ‘Account creation’; and ‘User sign in’ ... None of these measures tell us or the user much about how well GOV.UK Verify [RIP] is performing ...".

Central government, local government and the private sector may disagree. GDS were right the first time. The account creation success rate is an important indicator. It told everyone a lot about "how well GOV.UK Verify [RIP] is performing" and its omission from the dashboard now, far from improving GDS's reporting, is a serious warning.


3 comments:

Anonymous said...

ICYMI - the Feds have apparently scrapped further development of Connect.gov. Reading between the lines of their statement that: "we want to give the users choice but will be providing a government account option and manage that securely" it might seem that the security issues of private sector identity verification were troublesome for them.

They name-checked GOV.UK Verify, at least to acknowledge 'lessons learned'. Their planned development is to be based on 'strong authentication' - which if it meets NIST's assurance levels will need to be more robust than we can get through GOV.UK Verify currently.

What do you think this will mean for GOV.UK Verify? Are we blazing a trail for others to follow, or charging in where others won’t follow?

http://www.secureidnews.com/news-item/feds-scrap-connect-gov/

David Moss said...

Thank you very much for your comment, Anonymous @ 17:54 on 11 July 2016, and for the link.

What does the cancellation/curtailment of connect.gov mean for GOV.UK Verify (RIP)?

I suppose it's one more bit of not good news:

• Four academics reviewed the security of connect.gov and GOV.UK Verify (RIP) and detected the same weaknesses in each.
• GOV.UK Verify (RIP) has trouble selling itself to either central or local government.
• Does GOV.UK Verify (RIP) abide by GDPR? We don't know.
• Or eIDAS? Ditto.
• It can't register legal persons, only natural persons.
• The payments industry doesn't seem to be interested.
• And now there are questions about GOV.UK Verify (RIP)'s ability to help with international anti-money laundering efforts.
• GOV.UK Verify (RIP) can't possibly provide the one, single UK identity assurance platform promised.
• And that raises questions about our Government as a Platform strategy for public administration.

Not healthy.

Anonymous said...

UK Verify 5 years in and no plans to meet that core functionality of GG to support business interactions online. GG still going after 15 years and minimal investment - and originally designed and delivered in a matter of months. How will UK Verify stack up in 2026 after 15 years, I wonder?

Post a Comment