This time it’s personal

Ping Identity’s Rob Otto examines the Gov.uk Verify digital identity scheme, its challenges, and asks what can be done to improve the platform’s chances of success?

Posted 15 December 2020 by

Two major issues are bringing into sharp focus the criticality of ascertaining and verifying personal identity for the public sector.

The first is the ongoing pandemic and the resultant track, trace and testing regime which is delivered via online tools and underpinned by digital identities.

Alongside this issue is the upcoming Brexit deadline – after which proving identity and citizenship may become vital for accessing health and social welfare benefits for UK resident and ex-pat citizens across Europe.

Consequently, the Gov.uk Verify digital identity scheme, which has so far cost £175 million (as of 2019), has the potential to improve how organisations, both public and private can verify personal and organisational identity. However, uptake by citizens and even by government departments has been reluctant.

Papers please

Large scale government projects involving identity validation are not new but have often run into concerns over civil liberties. Although the public reaction is dependent on geography, with many mainland European countries having identity cards as standard – and a few creating similar digital versions including Finland and Estonia. However, the UK media and public have not taken well to identity cards, which were first proposed in 2002 in a post 9/11 setting, with the debate running for around a decade before finally being scrapped with only a few tens of thousands ever being issued to foreign nationals.  

However, digital identity is not a new concept. In 2001, the UK set up The Government Gateway, an IT system that was developed to allow citizens and organisations to register for online services provided by the UK Government, such as obtaining a driving licence, common agricultural policy aid schemes and HMRC self-assessment, to replace the old system of paper submissions.

In 2012, the UK government built upon this start and launched www.gov.uk, as its new unified website for online public services in an attempt to save potential hundreds of millions of pounds lost to the 150 million calls to government contact centres each year from people who fail to complete a transaction online – which the government estimated costs an average cost of £6.28 each to process.

Gateway becomes Verify

The new initiative was run by the  Government Digital Service (GDS)  and one of the first projects was to update the Government Gateway system – which was designed for a different era, making it difficult to implement alongside modern systems and processes.  Verify, the subsequent scion, instead used a different type of design philosophy based around a universal proxy layer – developed by GDS – that would act as a middleware between the government maintained backend and third party services that wanted to integrate with Verify.

The Verify service was launched in 2016, and within two years, the service contracted five commercial partners, namely Barclays, Experian, The Post Office, Digidentity and SecureIdentity, that would provide touch services for citizens signing up and managing identities. The goal was to turn the scheme over to the partners to be owned and run by the private sector.

However, in 2020 – three of the partners decided not to renew their contracts, leaving Digidentity and The Post Office as the only active participants. The initial goal of signing up 25 million people currently stands at around 6.5 million and the recent National Audit Office review of the service categorised it as a ‘failed government IT project’.

So why this damming indictment? Part of the issue can be put down to hindsight. For example, the technical choice of using a layer of middleware software created by GDS to act as a bridge could be considered a poor one based on the current trend towards web scale cloud software. However, in 2014 when much of this work began, open standards such as OAuth 2.0 and OpenID Connect were also less mature, as was the idea of using cloud-based APIs – especially within government circles.

The other issue was the commercial model. The actual cost of carrying out signups and validation – a task which is made easier with a high-street branch network coincided with a time when banks were moving away from physical branches and embracing online equivalents. Although the commercials within the Verify contract agreement are not public, it is believed that it was not a profitable endeavour for the participants – and the fact that the Post Office is the last partner standing with such a branch network is no coincidence.

2020 vision

However, as a neutral observer, the NAO description is a bit unfair, especially considering the rather optimistic targets that were set. At the most basic financial calculations, each sign up user cost around roughly £30 which when factoring in software development, back-end infrastructure, and processing fee; is not wildly outside of what an enterprise grade solution might cost.

Although not the most user-friendly service, Verify does work reliably and at the very least has established a foundation to build upon. And although tragic, the ongoing pandemic is likely to accelerate its adoption as more citizens become accustomed to online transacting, and identity requirements start to become more pressing in a post-Brexit UK. The UK government has announced it will fund Verify until 2021 – and recent signups for the service have been at record levels with the number jumping from 3.6 million at the end of February 2019 to 7.5 million verified users as of November 2020.

With a revised commercial model and a potential move towards a more open standards based approach to connecting all the parts together, Verify may overcome its teething troubles and blossom into a well-received and universally useful service – that is arriving at a most opportune time for the UK economy.

Rob Otto, EMEA field CTO, Ping Identity