Monday 31 August 2015

RIP IDA – as tactfully as possible, the intensive care team take the family aside and prepare them for the inevitable

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

OIX, the intensive care team, is well known to DMossEsq's millions of regular readers but for the rest of you:
Open Identity Exchange UK (OIXUK)

This is the UK arm of a global organisation working directly with governments and the private sector developing solutions and trust for online identity, specifically for the British citizen.

OIX UK works closely with the Cabinet Office on the Identity Assurance Programme.  This is the development of the GOV.UK Verify service.  The identity assurance process can also be applied to other, non government websites where proof of identity is wanted.

The OIX goal is to enable the expansion of online identity services and adoption of new online identity products.

We work as a broker between industries designing, testing and developing pilot projects to test real use cases.  All project results are published for the public in the form of white papers.

OIX UK is open to new members.  Non members are welcome to attend our workshops,  membership is preferred for participation in projects – contact us for further information.
OIX has just published not one but two white papers:
Jointly and severally conveyed, the message is the same – there's no hope, IDA is dead, GOV.UK Verify (RIP).

GOV.UK Verify (RIP) is designed to rely on so-called "identity providers" (IDPs). There are currently four IDPs – Experian, Digidentity, the Post Office and Verizon. Together, they are said to constitute a "market" in identity services.

According to OIX's first paper, The use of bank data for identity verification:
  • The current market for identity assurance identity services is not able to serve 100% of the population (p.4).
  • At this time of publication of this paper the GOV.UK Verify [RIP] service is a beta service. It has set a number of objectives to achieve before becoming a fully live service (p.5).
  • In this early market the supply chain of data sources to support the creation of digital identity has not yet evolved to support the GOV.UK Verify [RIP] initiative (p.5).
  • The Digital Data Deficit section below describes how many users assertions of identity cannot be digitally verified (p.5).
  • As a result, some people who don’t have credit accounts (such as a loan, mortgage or credit card) are not able to assert financial evidence (p.7).
  • ... providers are not able to refer to bank account data to establish that an identity has been active over time (p.7).
  • ... resulting in variable results for users and problems can occur when users attempt to validate money evidence (p.9).
  • ... there is insufficient evidence of activity history in currently available data sources (p.9).
  • The current market has need for more data sources to accurately verify identities across a wide demographic (p.12). 
OIX is being as diplomatic as you have to be on these occasions, dealing with the distraught family in the waiting room outside intensive care, but it is clear that as long as GOV.UK Verify (RIP) depends on the current IDPs, it's not going to get out of the beta phase and become live, it's dead.

The banks are thought by OIX to provide the solution to all the current GOV.UK Verify (RIP) problems. In that case, why bother to have the IDPs? They add nothing. They are irrelevant. Appendix B of OIX's paper is a list of the problems faced by the IDPs which can be solved by the banks. Everything that needs to be done can be done by the banks alone.

There is no reason for GOV.UK Verify (RIP) to retain the IDPs and OIX identifies two reasons not to mix them up with the banks:
  • ... digital identity services delivered by non-bank Identity Providers could erode the relationship between banks and their retail customers (p.11).
  • If a financial institution refuses to compensate a customer for the loss of funds arising from misuse of credentials because the customer granted access for an Identity Provider, then broader consumer confidence in the scheme will be undermined by adverse publicity (p.13).
We were originally told that GOV.UK Verify (RIP) would be live by Spring 2013. It wasn't and it still isn't. We are currently meant to believe that it will be live by March 2016. From what OIX tells us, that is clearly impossible.

GOV.UK Verify (RIP) will not survive the amputation of Experian, Digidentity, the Post Office and Verizon. What comes out at the other end will no longer be GOV.UK Verify (RIP). That's what OIX is telling us in its first paper.

We may look at the second paper in a later post, wherein you will discover that there is a keen desire to ignore the privacy guidelines for GOV.UK Verify (RIP), but that's quite enough for now.


Updated 1.9.15

In Whitehallspeak, Experian, Digidentity, the Post Office and Verizon were part of GOV.UK Verify (RIP)'s first "framework".

Out of 80 initial expressions of interest, eight suppliers proceeded to sign a framework agreement with the Government Digital Service (GDS). Cassidian pulled out, as did Ingeus and PayPal, and despite promising repeatedly that they would, Mydex didn't become an IDP after all, which left GDS with just the four above.

A year ago, GDS launched a second framework, and six months later they'd netted five new IDPs – Barclays, GB Group, Morpho, PayPal again and Royal Mail. So now there are nine IDPs supplying GOV.UK Verify (RIP)?


Just four.

The five new prospective IDPs still haven't been "on-boarded", as they say. In fact, they haven't been heard from for six months. Why? Where are they? What's going on?

No comments:

Post a Comment