Editorial

Did the NAO deliver too harsh a verdict on GOV.UK Verify?

The UK Digital Identity industry reacts to Tuesday’s tough National Audit Office assessment of what went ‘wrong’ with our first attempt at a national Digital ID scheme

Posted 7 March 2019 by

Yes, it’s not given us all we were promised – but the uK’s first attempt at a national ID framework is far from the disaster it’s being painted.

That’s at least one way to sum up the reaction of the many stakeholders in the UK Digital Identity industry that have shared their reaction to the National Audit Office review of GOV.UK Verify, published earlier this week, that concluded it had become a classic ‘failed government IT project’.

In the past couple of days, we’ve been reaching out to the community to gauge its reaction to the tough assessment – with many being participants in our upcoming (June) Think Digital Identity For Government 2019 conference, where we fully expect a balanced judgement of where we go next with ID in this country anyway. And this is what they said:

Don Thibeau

Speaking in a personal capacity, and not as the official response of his organisation, the Open Identity Exchange (OIX), Don Thibeau, its chair, told us that, “The National Audit Office report published yesterday denigrates GOV.UK Verify to ‘yet another government IT failure’ and permits commentators to lament GDS failing to live up to its promise – but the report fails to consider the enormity of the digital identity problem that GOV.UK Verify aims to address or the complexity of implementing almost any solution across independent government departments.

“While the ‘hard hitting’ tone has captured news headlines, it shed little light on the complex subject or what government policy should be.” (A full version of Don’s thoughts can be found here.)

Ubisecure

“Verify is (or now was?) a brave attempt to introduce a (not a) national ID,” says the Digital ID solution vendor‘s Group CEO, Simon Wood. “The cost escalation was quite predictable given that, in general, the wrong organisations were undertaking the identity verification process. If we look to the Nordics for comparison the equivalent schemes are private initiatives, for example BankID in Finland. Here, the organisations already have to undertake detailed KYC (Know Your Customer) processes so already know the user, and can directly link to a ‘national ID’ – for example, a citizen’s social security number – although this is not required, the underlying ID can be pseudo and provide the same benefits.

“In the UK many of the participants in Verify have created ‘KYC’ processes to deliver participation and the government has effectively paid for this in addition to the transactional identity.”

Kantara

Colin Wallis, Director at this open Digital ID initiative, states that, “While I don’t think technology was at the root of the problems, it probably didn’t help either. We should remember that when the hub was conceived in around 2011-12, SAML was mature but waning, and Open ID was still highly insecure. Additionally, it was an ambitious project for its time in priming the development of an ecosystem, especially within the strictures of the civil service.

“Plus, was there a sense of over-confidence as the project took hold? I think so, which was unfortunate given that the UK was by no means the first government to try this kind of programme – admittedly with some new aspects – and could have benefitted from the advice given at the time by those that had gone before.

“While not a stunning success, Verify is by no means a total failure either. The investment itself is not completely out of the ball-park compared to others, though admittedly the return measured in adoption has fallen short.”

Etive

“I think people need to understand that the role of the NAO is to hold Government to account on all projects that also involved spending,” points out Stuart Young, Director at this Digital ID vendor, which works with GDS and OIX on Verify based projects.

“Verify hasn’t been a smooth ride – but in its defence, neither have identity solutions in many other countries. Here in the UK, we just don’t have a history of Identity, so introducing one has been more complex than initially envisaged: though the need for one is absolutely clear, we are one of the few Western economies that do not have an ID system, and if you speak to anyone from a country that has one in place will tell you how much easier it is – see techUK’s argument here.

“We are currently working on the first OIX Beta project to look at how the use of Verify will help and support vulnerable people – the people who are high users of public services and in greatest need of support. We know that the proof of Identity is a key prerequisite for citizens to access critical services, especially to take part in our modern economic and social systems.  Verify and assured Identity has been opened up to the private sector enabling the market to more easily adopt it.  GDS continues to be the standards body behind it, and this will go on beyond 2020.”

Ping Identity

“By going to the wider identity management market, UK Government could build a platform for interoperability based on open standards that would allow all areas of the public sector to interact with their customers at whichever level of security assurance they require, rather than imposing a rigid central identity scheme,” Jon Ellis from this ID supplier told us.

“Security of Digital Identity could be enhanced by using a zero trust approach, whilst improving customer experience through adopting passwordless authentication and allowing customers to use one set of identity credentials to access multiple services. At Ping Identity we have a proud legacy of helping some of the world’s largest enterprises offer digital services to their customers; for instance, one of our customers has 125,000,000 authentications per day against its PingDirectory. We also helped transform digital identity for the government of New South Wales in Australia, so New South Wales citizens now have an easy to use, opt-in, one-stop dashboard for online government service transactions. Since launching its new portal, Service NSW has seen on average 100,000 customer sign-ups a month, with in-excess of 3 million accounts within Ping.”

A UK ID Vendor

Finally, requesting anonymity, we got a very interesting response from a well-known community voice: “Timing is everything in technology, and the concept of a citizen identity at the time that Verify was put forward was still new.

“It is easy with hindsight to say that Verify did this and that wrong, but mass adopted digital identity for a wide-demographic is no mean feat to achieve. Balancing fraud checks with usability is never going to be easy and Verify came into existence at a period in the history of consumer identity where change was just beginning to happen.

“Verify, however, must become flexible to allow the full re-use the identity across a federated commercial ecosystem. In a commercial context you need to ability to add technology layers where there are gaps in functionality, e.g. enrichment of identity using user-managed attribute brokers. A lot of people have gone through the pain of getting a Verify ID so they should be allowed to re-use them in a commercial context. In addition, the use of existing identities like Yoti could help uptake across an extended ID ecosystem that uses Verify. GDS should take a look at what scot gov are doing with OIX too.

“The other problem that has caused friction in the IdP ecosystem is the financial side. The IdPs never recouped their investment, and that spend should be looked at.”

All great food for thought… what is your view on what happened? Join the debate on Twitter @Thinkdigicon.