Wednesday 18 May 2016

RIP IDA – worse than you thought

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

The problem you already knew about ...
The point of GOV.UK Verify (RIP) is to assure central government departments like HMRC, Her Majesty's Revenue and Customs, that the person on the other end of the line is who they say they are. GOV.UK Verify (RIP) follows the good practice, we are told, set out in GPG45, Good Practice Guide 45.

Chapter 4 of GPG45, p.9, provides for four levels of assurance, 1-4.

Level 1 isn't much use to a relying party such as HMRC, the identity hasn't been proved at all.

Level 2 gets a bit more useful: "The steps taken to determine that the identity relates to a real person and that the Applicant is [the] owner of that identity might be offered in support of civil proceedings". Level 2 might support identification in a civil court. It might. It might not.

Levels 3 and 4 are successively more reliable. But that's irrelevant at the moment as GOV.UK Verify (RIP) is only offering Level 2.

What's more, it's having trouble reaching even Level 2 according to OIX, the Open Identity Exchange, the Government Digital Service's business partner. If GOV.UK Verify (RIP) could use our personal bank account information, OIX say, that "would help [to] achieve the required standards against the 5 elements of identity assurance at level of assurance 2" (p.11).

To some extent, OIX have now got their wish. GDS tell us that: "In the last few months, we've seen new data sources and methods being introduced, and we've worked with mobile network operators as they've developed a new phone contract validation service that’s now in live use in GOV.UK Verify [RIP] ... It’s also now possible to verify your identity without either a passport or driving licence, thanks to a new method introduced by one of our certified companies which allows you to use your bank account as proof of your identity".

They've got their additional data and it's not helping. The GOV.UK Verify (RIP) account creation success rate remains stuck at around 70%. Young people have trouble opening an account, so do old people and unemployed people and people on low incomes.

Hat tip someone, it's all a far cry from the 16 September 2014 GOV.UK Verify (RIP) service assessment, when the assessors' report called for GDS to "actively work with the market to grow [demographic] coverage to as close to 100% as can be achieved, as early as possible during the Beta".

... may be worse than you thought
But suppose GOV.UK Verify (RIP) achieved 100% demographic coverage and enrolled everyone into GOV.UK Verify (RIP) with a level of assurance of 2. Then what?

Enter NIST, the US National Institute of Standards and Technology. They've come up with a draft of some new so-called "800-63" guidance about how to do the identity verification job.

They're a thorough lot, NIST. They look at GDS's "level of assurance" and they see not one thing but three things:
A new approach for digital authentication solutions is required by these guidelines, separating the individual elements of identity assurance into discrete, component parts. For non-federated systems, agencies will select and combine two (2) individual components, referred to as Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL). For federated systems, a third component, Federation Assurance Level (FAL), is required.
  • IAL refers to the robustness of the identity proofing process and the binding between an authenticator and a specific individual.
  • AAL refers to the robustness of the authentication process itself.
  • FAL refers to the robustness of the federation assertion protocol utilized to communicate authentication and attribute information (if applicable) to a relying party.
GDS's level of assurance has four possible values, as noted, from 1 to 4. NIST's IAL has only three values, 1 to 3. An IAL of 1 is self-assertion, as with GDS, and is useless to a relying party. 2 is better and 3 is best, requiring attendance in person by the applicant and verification by a trained operative.

NIST compare this new suggestion of theirs with several other identity verification standards, including GDS's GPG45, and they summarise their thoughts in this table (para.2.4):

SP 800-63 [GPG45] [RSDOPS] STORK 2.0 29115:2011 ISO 29003 Government
of Canada
N/A N/A Level 01 N/A N/A N/A N/A
AAL/IAL 1 Level 1 Level 1 QAA Level 1 LoA 1 LoA 1 IAL/CAL 1
AAL/IAL 1 Level 2 Level 2 QAA Level 2 LoA 2 LoA 2 IAL/CAL 2
AAL/IAL 2 Level 3 Level 3 QAA Level 3 LoA 3 LoA 3 IAL/CAL 3
AAL/IAL 3 Level 4 N/A2 QAA Level 4 LoA 4 LoA 4 IAL/CAL 4

As far as NIST are concerned, GDS's level of assurance 2 is no better than 1.

They both map to a NIST IAL of 1. Self-assertion.

GOV.UK Verify (RIP) could achieve 100% demographic coverage at level of assurance 2 and, in NIST's view, still not have anything useful for HMRC to rely on.

----------

Updated 3.6.16

GOV.UK Verify (RIP) uses your name, address, date of birth and, optionally, your sex to try to verify your identity on-line, together with your passport details, your driving licence details and your credit history. We know, see above, that GOV.UK Verify (RIP) can also use your mobile phone contract and/or your bank account.

Who gave your mobile phone network operator permission to share your data with the Government Digital Service (GDS)? Very possibly, no-one. Who gave your bank permission to share your data with GDS? Very possibly, ditto.

Desperate to try to raise the reliability of GOV.UK Verify (RIP) off the floor and above the level of self-certification, GDS look as though they're taking a few ethical short cuts, the latest of which involves grabbing your charitable donation history, please see JustGiving and GOV.UK Verify [RIP]: Exploring JustGiving information as part of the GOV.UK Verify [RIP] process (pp.3-4):
The first hypothesis explored the response of JustGiving users if information about their activity on JustGiving was used by a GOV.UK Verify [RIP] Certified Company as part of the verification process ...
"No holds barred", as the referee used to say, GDS look as though they're prepared to try to wrestle all our personal information out of us even if they are incapable of performing on-line identity verification.


Updated 9.12.16

On Monday morning this week GDS published Future-proofing our approach to identity verification. That's a blog post about GOV.UK Verify (RIP).

Read the title quickly and you may be tempted to believe that the authors describe how GDS have future-proofed identity verification. That's not what it says. It's the approach to identity verification that has allegedly been future-proofed.

There's no telling what that means. But read the blog post in full, and it's clear that nothing has been future-proofed. GDS hope that OIX, their business partner, might be able to find some way to establish a reliable link between a GOV.UK Verify (RIP) identity and a person.

The approach to identity verification favoured by GDS is knowledge-based: "Knowledge based verification (KBV) involves asking the user a range of questions only they would know the answer to". That can't be right, can it. If only the user knows the answer, then GOV.UK Verify (RIP) can't tell whether the answer is right.

"There are further innovative data sources and methods currently being explored in the private sector that would be both secure and convenient for GOV.UK Verify [RIP] users". Such as? What further innovative data sources and methods? GDS don't tell us.

That's because they don't know. They don't know how to improve KBV. Instead, they're asking OIX to ask the market if they know: "We are inviting the market to submit a proposal to help us explore what alternative, additional or complementary data sources are being used in the market for KBVs".

They haven't future-proofed anything. They've issued an invitation. An invitation to submit a proposal. A proposal to help GDS explore. Explore an alternative data source or an additional one (what's the difference here between "alternative" and "additional") or a complementary one.

That flabby invitation is GDS's response to the failure of GOV.UK Verify (RIP) to rise above the level of self-certification.

To the extent that Kevin Cunnington's strategy for GDS depends on the success of GOV.UK Verify (RIP), the strategy's had it. Mr Cunnington is the director general of GDS and he's promised the public a strategy before Christmas. 15 days to go. Good luck with that.

No comments:

Post a Comment