A new single sign on (SSO) and digital identity assurance system is scheduled to pilot with a number of government services by next Spring. It’s an ambitious timeline, especially as the SSO solution will need to comply with the UK Digital Identity Trust Framework which is still being developed, but it’s also a very exciting opportunity to deliver better citizen experience and alleviate the identity challenge for government departments and service owners.
Normally, ‘identity solutions’ consist of some of the following: credentials (your username, password, fingerprint etc. stored as strongly encrypted data), authentication (checking your credentials match those registered; covered by GPG44 standards in the UK), identity verification (the process of checking that you are a person with the name and identity you claim to be and have; covered by GPG45 standards in the UK), and authorisation (what services do you have access to, and what actions are you allowed to take).
The GOV.UK SSO solution – currently titled ‘GOV.UK Sign in’ – is envisaged to include initially the credentials, followed by digital identity verification elements. Government departments will be able to re-use the SSO solution to give citizens access to their services, in the same way as they already use the gov.uk website to host information about their services in the first place. Importantly, the SSO solution should be reusable by all government departments, unlike the current solutions that are department specific. GOV.UK SSO is great news for users who will benefit from a single place and one way to access everything they may need from the government. In fact, early user research by GDS proves exactly that – citizens expect one login to access to all services. Any service owner should recognise the importance of good citizen experience, and being able to access services easily, without having to register and prove identity every time, is a crucial part of that experience.
The scheduled rollout of the GOV.UK SSO should be prompting some important discussions across government departments, said Ilze Skujina, Digital Identity Consulting Manager, Health & Public Service at Accenture. “The objective for all departments will be to decide how and when to implement it to get the most value for their users and their departments. To achieve this, they’ll need to consider: What are the services I am looking to deliver to citizens and what is the level of identity related risk involved? To what extent can the ‘GOV.UK Sign in’ mitigate that risk – is a simple ‘sign-on’ enough or is actual identity verification needed? And therefore, how do I integrate elements of the SSO solution with my own services to meet user expectations?”
Maximising the impact of the new SSO
Ilze said there are several key points for government departments to consider when they look at how they will integrate with the new solution.
Her first piece of advice is, don’t reinvent the wheel. Other than perhaps the HM Passport Office, no government department specialises in identity services, so make the most of the expertise and good practice that the SSO solution should ultimately deliver. “For straightforward services, departments should look to re-use as much of the central solution as possible,” she said. This would apply to departments that deliver one service or a limited number of services that carry a similar, low level of risk. However, there will be other departments that deliver a range of complex services to a highly varied customer base and that carry different levels of risk. These departments may want to have a more nuanced approach, and augment elements of the SSO solution with additional capabilities.
To put it simply, the more of the SSO that a service owner can leverage, the better the citizen experience should be, as it will deliver a consistent user experience across services accessible through GOV.UK. Deviations from the standard SSO would only be justified where the services being delivered carry additional risk. For example, if the SSO solution initially only delivers a simple ‘sign-on’ but no identity verification then departments will likely need to add some identity verification capabilities themselves if they wish to provide services where the user’s identity is important.
“Another thing to consider is your department’s internal capacity to build and maintain bespoke identity services” said Ilze. “Most departments are going to have limited specialist capacity in this area so it’s important to critically assess what only they can and should do and what could easily be replicated.” Identity services are complex, and therefore it makes sense to focus internal capacity towards those identity service elements that are truly unique and additive.
Last but certainly not least, departments need to focus on user experience. Ilze notes that “At the end of the day single sign on and digital identity are there to deliver new digital services, better citizen experience and better user journeys.” So, regardless of the option that departments go with, they shouldn’t just be looking at identity, but the whole user experience of the service and to what extent the SSO supports and enhances it. This will come down to the actual capabilities of the SSO for credential management, authentication and identity verification, and how those augment the service design.
“You have to ask yourself what does that end-to-end journey look like and who are your audience?” Ilze says. “As a simple example, a driving licence is often used as proof of identity but if your users are under the age of 20, they are far less likely to hold a licence and therefore may be unable to access your service. They may, however, have already proven their identity to open a bank account – could this proof be reused? It’s essential that teams do thorough user research to understand their customers, their goals and the best digital identity solution elements that can smooth the journey to help meet them, which would hopefully come largely from the GOV.UK SSO”.
Ultimately, said Ilze, whilst ‘GOV.UK Sign in’ is being developed, government departments can and should start looking at their service provision and how better, more flexible identity services can enhance their customer journeys. This means investing in context appropriate and flexible citizen identity solutions that would be interoperable with the SSO solution and/or other identity verification service providers, including third party vendors and the private sector. A user centric approach is key, supported by the GOV.UK SSO shared service and augmented by bespoke identity services for unique service needs.