Wednesday 12 July 2017

RIP IDA – OIX to the rescue 2

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

14 June 2012, we discovered that the Government Digital Service (GDS) had joined the Open Identity Exchange (OIX) in order to help with their moribund identity assurance programme now known as "GOV.UK Verify (RIP)".

16 June 2017, OIX published Achieving frictionless customer onboarding, which "looks at the commercial business case for financial service providers to accept digital identities that meet Government standards".

Does that report help GDS?

The author of the report, Tony Lamb, is head of strategy at Royal Mail Data. "In the next four years", he says, "UK Government is forecasting to create c20million (or c40% of the UK adult population) verified digital identities for UK citizens" (p.4). He takes his figures from GDS's Identity Assurance Programme Market Briefing Event in 2014.

He and OIX, his publishers, should know better than that. "Building on the work we have already done our priorities for government up to 2020 are ... making better use of GOV.UK Verify [RIP] by working towards 25 million users by 2020 ...". That's what GDS say in their February 2017 Government transformation strategy (pp.11-12). Three years. Not four years. 25 million. Not 20 million.

It is not helpful to GDS to have their strategy ignored by Royal Mail Data and OIX.

The financial services sector is being asked to rely on GOV.UK Verify (RIP). Royal Mail Data's obfuscation here will not help to nurture any confidence the financial services sector may have in GOV.UK Verify (RIP).


A set of propositions to do with identity assurance was sent to four organisations who were asked to rate their importance. The Royal Mail Data report is compiled from those responses (p.7). The proposition "The number of existing available digital identities is significant for the population" (p.11), for example, scored only 45 out of 100.

Just as well for GDS.

Royal Mail Data had suggested that "having five million verified identities by June 2017 would be somewhat important before the financial service sector would widely adopt the reuse of GOV.UK Verify [RIP]" (p.11) and of course GOV.UK Verify (RIP) had nothing like that number of accounts by the end of last month. As we know, at the present rate, it will take until 2074 for GOV.UK Verify (RIP) to have 25 million users. Or possibly 2425.

"Accelerating the growth of verified identities will make a more compelling case for financial sector reuse" (p.11), say Royal Mail Data. That's one way of putting it.

Another way is to say that the current number of GOV.UK Verify (RIP) accounts is too low for the financial services sector to bother with it. Or as Royal Mail Data also say, "The investment into adoption of GOV.UK Verify [RIP] by the financial service sector would require a critical mass of pre-existing identities" (p.11) – no critical mass, no investment.


The proposition "A reusable digital identity is accessible for all of the eligible UK population" (p.10) scored 80 out of 100, as did "In particular, a reusable digital identity covers socially, financially and digitally excluded demographics" (p.11).

Perhaps volumes could be increased by making it easier to register with GOV.UK Verify (RIP)? "... an LoA1 standard has been defined, with intention being to provide a lower entry bar" (p.11).

"LoA1" is level of assurance 1, self-certification, an unverified identity. Pointless. You don't need GOV.UK Verify (RIP) to not verify identities. You don't need identity providers either. You don't need to pay them to not provide identities. And there's nothing – nothing compelling, at least – that relying parties like government departments and banks can do with an LoA1 identity. LoA1 is useless. OIX know that.

The LoA1 suggestion is manifestly unacceptable – "All customers are verified to the same robust level of assurance" (p.11) scored 75 out of 100. No-one wants to lower the bar. The requirement is to raise it.

"The current proposition is built around assuring identities to LoA2" (p.11). LoA2 isn't that high a level of assurance. And it isn't clear that GOV.UK Verify (RIP) is achieving even LoA2.

"Government and the Identity Providers are working together to understand how the current solutions can be optimised to increase successful applications without increasing security risk" (p.11). They've been working together on this matter for at least two years and they're not getting anywhere. Because they can't. You can't lower the bar and at the same time maintain the level of security risk.


Frictionless: One of the screens you'll see
if you try to register
for a GOV.UK Verify (RIP) account
You'd think we might have finished with p.11 by now. We haven't.

"If GOV.UK Verify [RIP] provided penetration of key segments of the population, who are currently difficult and costly to verify in a digital-only channel, this would be valued by the financial sector. Examples of excluded demographics are those aged under 20, individuals who are new to country and those with a ‘thin’ credit file" (p.11).

Even according to GDS's hopelessly optimistic mathematical models these are exactly the people GOV.UK Verify (RIP) can't reach. There is nothing there for the financial sector to value.


It's not just that GOV.UK Verify (RIP) lacks the critical mass required by the financial services sector and that it fails to reach the unbanked.

There's also this: "The verification process for GOV.UK Verify [RIP] requires around six steps, once the applicant has selected their identity provider" (p.8).

Got that? GOV.UK Verify (RIP) takes six steps.

"A typical bank application process for a current account involves 20-80 steps" (p.8).

The banks require between 20 and 80 steps. Ergo, the six-step GOV.UK Verify (RIP) is not in their league.


"A reusable digital identity supports an end-to-end entirely digital journey" (p.8). That proposition scores 80 out of 100. Why can't GOV.UK Verify (RIP) support an end-to-end entirely digital journey in the financial services sector? Because, after six years in development, it's still in "an early stage of maturity" (p.8). It's still a child and the financial services sector needs an adult.


"The reusable digital identity has a high level of customer awareness" (p.8). That proposition scored 75 out of 100.

GOV.UK Verify (RIP) doesn't have a high level of customer awareness. Royal Mail Data's respondents see that as a risk, with vulnerable people falling prey to fraudsters, "this could ... result in a large number of vulnerable people having their identities compromised and funds stolen" (p.8).


"Successful verification rates are greater than 60%" (p.9), 75 out of 100. Week ending 18 June 2017, two days after Royal Mail Data published their report, the Completion rate for GOV.UK Verify (RIP) was 35% across all services. The child is out of its league.


Obviously enough, GOV.UK Verify (RIP) could only be used by the financial services sector if it met the regulatory requirements. It doesn't (pp.9-10). "This is likely to prohibit uptake" (p.10).


Obviously enough, GOV.UK Verify (RIP) could only be used by the financial services sector if it "delivers operational efficiencies and cost reductions" (p.13). Does it? No-one knows. GDS certainly haven't proved that it does. All that is known is that "New commercial terms will need to be agreed with the existing Identity Providers" (p.13) and with any commercial hub provider(s). I.e. the existing terms are inadequate.


Obviously enough, GOV.UK Verify (RIP) could only be used by the financial services sector if it reduces risk. A new risk model will be required because the GOV.UK Verify (RIP) model is inadequate (p.14).


Progress has been unacceptable over the past six years and "The window of opportunity needs to be seized in the next six months to provide a clearer view of the scale of the opportunity" (p.15). GDS have until the end of the year to show that GOV.UK Verify (RIP) could one day grow up enough to be a candidate for identity assurance in the financial services sector.


The financial services sector numbers companies and trusts among its accountholders. GOV.UK Verify (RIP) can only handle natural persons, not legal ones. You can read the whole of Royal Mail Data's report without being reminded of this lacuna.


"As GOV.UK Verify [RIP] aligns to the broader European standards, it provides a means for the financial sector to provide services in a globally interoperable way" (p.3). "A federated digital identity scheme, GOV.UK Verify [RIP], has been created in the UK in line with the eIDAS regulation." (p.4).

In what way does GOV.UK Verify (RIP) align with the broader European standards? Royal Mail Data forget to answer that question. We may find that it doesn't align with the European standards the financial services sector requires. In particular eIDAS and GDPR. Another lacuna.


The respondents approached by Royal Mail Data were HSBC, Barclays, TSB and "a leading credit card provider" (p.1). Who is the leading credit card provider? Why don't they want their name to be used?


The "project participants" are Royal Mail and Avoco Secure (p.1). Royal Mail are not certified trustworthy by tScheme. In their case, the proposition that "The existing GOV.UK Verify [RIP] service verifies the applicant’s details online, using certified third party Identity Providers" (p.5) is not true.

By GDS's own lights, Royal Mail are therefore unqualified to act as GOV.UK Verify (RIP) identity providers. Royal Mail are only listed as identity providers because they're a recognised brand. Behind the scenes, the identity provider work is actually carried out by GB Group plc, whom more or less no-one has ever heard of. Both Royal Mail and GB Group rely on software provided by Avoco Secure, whom, ditto, more or less no-one has ever heard of.

All of which looks like a cynical deception of the public by GDS, who profess nevertheless to embrace openness, and by Royal Mail.


"Does that report help GDS?", we were asking above. Clearly not. But by drawing attention to the deficiencies of GOV.UK Verify (RIP) it does help the public. Thank you OIX.


Updated 15.7.17 1

GOV.UK Verify [RIP] to be extended to cover other countries next year: "From September 2018, the service will be able to confirm the identities of people from countries other than the UK". So said on 13 July 2017.

September 2018 is over a year away. A safe distance from which to make predictions. Normal practice for the Government Digital Service (GDS).

This announcement about GOV.UK Verify (RIP) being able in a year's time to confirm the identities of people from countries other than the UK may look safe. And positive. But it confirms something that has never been made clear before – GOV.UK Verify (RIP) can't at the moment confirm the identities of people from countries other than the UK. Did you know that? Have GDS ever said that before?

And take a look at GDS's own statistics on the performance of GOV.UK Verify (RIP). The completion rate is defined as "the proportion of visits started on GOV.UK Verify [RIP] that result in successfully accessing a service, following the creation or re-use of a verified account with a certified company". Week ending 9 July 2017, the completion rate stood at 37% across all services. I.e. the failure rate was a whacking 63%.

That's presumably the failure rate for confirming the identities of people from the UK. GDS would surely do better to improve completion for people from the UK first before jumping the gun and taking on all comers.

Updated 15.7.17 2

Famously, HMRC, DWP and the NHS have failed to give their backing to GDS's GOV.UK Verify (RIP) identity assurance service. More than half of the UK local authorities which started trials of GOV.UK Verify (RIP) have now pulled out. And OIX have at least twice demonstrated that GOV.UK Verify (RIP) is useless to the UK financial services sector.

Now the Law Commission have weighed in. Legal gurus give thumbs down to Verify, said the UKAuthority website on 13 July 2017: "The independent body advising the Government on law reform has rejected the GOV.UK.Verify [RIP] digital signature as suitable for authenticating people’s wills".

"Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists" (para.6.67) – if the Law Commission believe that GOV.UK Verify (RIP) leaves it unclear whether you are you, what does that tell the financial services sector? Or local government? Or the NHS or DWP or HMRC?

No comments:

Post a Comment