Editorial

Kantara comes out strongly against core government ID concepts

Don’t impose anything – and let ID ecosystem participants determine what’s best for them, demands the Initiative

Posted 17 September 2019 by

Our current national approach to Digital Identity is too costly, is based on an idea of a ‘market’ that can’t work – and doesn’t need its own special legislation to get off the ground.

But whatever we do, we can’t carry on as we are – as “Most models have been costly for one or more parties, or have failed.”

These are just some of the main ideas expressed by The Kantara Initiative, an industry Digital Identity group that is all about nurturing ‘beyond-the-state-of-the-art’ ideas, develops specifications and operates conformity assessment and assurance under its Trust Framework programme to transform the state of digital identity and personal data agency domains.

The details come from the membership organisation’s official response to the Department of Culture, Media and Sport’s now closed invitation for the public and industry to offer their views on what should happen next for Digital Identity in the UK.

Specifically, the organisation notes that on the cost side, our experience so far with GOV.UK verify has not been a good one, as the current model incentivises IdPs (Identity Providers) to “duplicate user enrollments, which increases taxpayer cost and user management burden”.

That’s a problem, as the group states that “industry believes” that “Verify pays IdPs £20/verified person while IdPs’ direct costs are around £5/verified person.”

This discrepancy is partly down to what it claims to be “the significant indirect cost of integrating with Verify” and a “risk factor” built into the price to offset their lack of control of future government policy shift.

But the result is that Identity verification alone doesn’t usually give an RP (Relying Party) sufficient confidence to grant access to a resource, requiring them to process additional attributes with requisite incremental cost.

A tough assessment – and equally tough is the organisation’s rejection of a core government Digital Identity belief: that we need to create a UK ID ‘market’.

“The contrived notion of a ‘Digital Identity market’ doesn’t give IdPs or RPs sufficient flexibility, incentive, return on investment or risk mitigation confidence to address their respective customer segments – at least in the existing hub model.”

A better approach, Kantara believes, would be to act as a standard setter instead: “Standards need to be community developed, freely available, deployed, and interoperable that are implemented by service providers that are trust marked with evidenced conformance and assurance against the standard… Government should set the high-level conditions, support their enforcement and buy industry-wide licences for chargeable standards.”

The best way forward for UK digital ID post the end of commercial support for Verify next year, it concludes, is to, “Pilot a range of options including a low value transaction-based option, provided they are transparent to the entire ecosystem and capable of scale.

“Don’t impose anything; let ecosystem participants determine what’s best for them.”

The response was prepared primarily by a sub-group who volunteered for the task out of its Identity Assurance Work Group (IAWG), a team which acts as the steward for the Identity Assurance Framework.

The Framework accredits assessors and approves service providers seeking assurance of conformance to one or more of Kantara’s Classes of Approval (e.g., the NIST Digital Identity Guidelines for SP 800-63-3) that have had assessment criteria written for each of the standard’s requirements) operating under Kantara’s Trust Framework Operations Programme.