Local authorities: Identity verification vs. authentication

Donna Joyce, public sector, charities & NfP account director at Auth0 explains how identity verification differs to authentication, and why it is important for building trust

Posted 31 March 2021 by Christine Horton

As a society, so many of our everyday tasks are now online. Even before the pandemic, most services – whether that’s grocery shopping, booking our holidays, engaging with the government, or consuming media – had well and truly gone digital.

We know digital services offer huge convenience benefits for public sector organisations and citizens. However, digital has a dark side. The movement of services online has opened the door to a number of security and privacy challenges. Cyber threats targeting local authorities are on the rise, according to a 2020 report from the National Cyber Security Centre.

Keyword identity management

Customer Identity and Access Management (CIAM) is making its way into the public sector stratosphere as one of the most important ways of addressing convenience, security, and privacy concerns for digital services. As a citizen, it’s encouraging to see the UK Government elevating identity to the top of the national agenda with initiatives like the digital identity trust framework. And as an identity professional, it’s equally important that we empower local authorities with the tools and knowledge to successfully implement these solutions.

The management of digital identity is immature and fragmented, not just across councils, but within councils, according to our survey with Think Digital, Identifying as Citizens. Two-thirds of local authorities did not have an overarching digital identity strategy, with more than half not even knowing how much they planned to spend on digital identity solutions.

By far the most common set of barriers cited in the survey was lack of funding (61 percent) or a proven business case (44 percent), and many councils also face uncertainty as to how to approach the challenge due to a lack of standards, frameworks and guidance.

What makes understanding identity challenging is that it’s not ‘one thing.’ Identity vendors can specialise in authentication, authorisation, biometrics, consent management, identity verification, or any number of other services (this is why we launched Auth0 Marketplace as an identity hub). Moreover, these words are mistakenly used interchangeably. It’s no wonder there’s confusion. Two of the most common services used in the public sector are authentication and identity verification.

What is identity verification?

Identity verification (also called ‘identity proofing’) differs from traditional authentication in that it comes into play before users get their credentials to access an application or alongside the authentication process.

Verification essentially boils down to matching a user’s claimed identity (i.e., the email and telephone data a user declares when they register with a CIAM system) with their actual identity, which is the data that proves the authenticity of a user’s identity and can be independently verified. The nature of the actual identity data can be something that is based on life history, such as a credit report, passport, driving licence, or biometric data such as a fingerprint or facial scan.

As citizens, we are used to self-registering for services using very basic pieces of information about ourselves, like our email address or phone number. This information tells applications very little about who we are in the real world and is easily spoofed.

There are certain situations where the government is expected to go beyond email and phone number, and employ more sophisticated identity verification services. These are situations where it’s important to be sure of the user’s identity across a large user base, for example:

  • Managing ecommerce transactions
  • Onboarding patients in telemedicine
  • Enabling student logins for an online exam
  • Registering candidates in an HR system

Equally, identity verification is not necessary or desirable in every scenario. If the citizen identities managed by your CIAM system are well-known to you, such as your own employees accessing internal systems, you may not need additional verification.

Verification increases trust

Completing document and biometric checks increases trust, according to a study from Onfido, Customer Attitudes to Digital Identity.

The Onfido study continues: “It appears that document and biometric checks help assure people that businesses are taking both data privacy and data security seriously, compared to other methods of handing over personal data—such as via online forms, or in-person.”

There are many reputable identity verification companies that can help local authorities deliver on the promise of trust. Each tends to have a different specialisation, so it is worth doing your research and having multiple conversations before making a decision.

I’ve spoken before about treating citizens as customers, and identity verification is no different. As human beings, we expect the same level of convenience, security, and privacy from government applications, as we do from our digital retailers and banks. Understanding how authentication and identity verification work together is a starting point for local authorities who want to provide the next generation of digital citizen services.