Wednesday 13 July 2016

RIP IDA – Connect.Gov goes down the tubes

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
"GOV.UK Verify [RIP] is a new type of service, being delivered in a new way for the first time anywhere in the world". So said the Government Digital Service (GDS) on 30 June 2015. And so said their political boss, Matt Hancock, three months later on 26 October 2015: "It is a world first, and has been offering users a level of ID security that wasn’t previously possible online".

False. At the time. The UK was not alone.

Over in the US, they had Connect.Gov: "Connect.Gov, creates a secure, privacy-enhancing service that conveniently connects people to government services and applications online using a digital credential they may already have and trust ... Connect.Gov partners with Sign-In Partners – private sector organizations (e.g., Verizon,, Banks, Social Media companies) that offer government approved, digital credentials for millions of individuals across the United States ...".

For Connect.Gov's "Sign-In Partners", read GOV.UK Verify (RIP)'s "identity providers".

The two systems are similar.

You knew that already:
  • Just over a year ago on 23 June 2015 DMossEsq reported on the findings of four academics who reviewed the security of GOV.UK Verify (RIP): "It's not just GOV.UK Verify (RIP) that they criticise but also the US equivalent, the Federal Cloud Credential Exchange (FCCX), recently rebranded as Connect.GOV".
  • And those of you endowed with a cryptic crossword mind will have spotted the connection via NSTIC nearly four years ago.
Hat tip an anonymous commentator, Connect.Gov is now on the way out. According to the SecureIDNews website, 5 July 2016: "It was supposed to be a government-wide identity platform, but it appears the project is being scrapped. In its place, GSA [the US General Services Administration] is planning to build its own platform from scratch". Connexit?

Maybe GOV.UK Verify (RIP) is now unique, as GDS falsely claimed last year. But for how long? Will it, too, like Connect.Gov, soon disappear? Verexit?

It would require uncommon boldness for GDS to follow the US example and cancel GOV.UK Verify (RIP). But that's precisely what they claim to be famous for aspire to. Boldness.

No comments:

Post a Comment