The state of digital identity in the UK - such a great idea, you'll need a whole bunch of them
The promise of digital identity is a simple one: Prove once that you are who you say you are, and then forever more you have a single method to log in to any online service you choose. No more remembering multiple user names and passwords. No more identity fraud. No more sprinkling innumerable copies of your online credentials across the web.
To coin a phrase – you, the user, take back control.
In fact, it’s such a great idea, that before long – and it has been a long time in the making – people will realise just how good an idea it is, because they will be using so many different digital identities from so many different online services, that…
Hang on. What?
Yes, it’s sadly true – digital identities are such a great thing, that you will have a whole bunch of them. One for your bank, one for each social media site you use, probably several from different e-commerce providers, others maybe for your most popular mobile apps. You’ll most likely have one from Apple, if you’re an iPhone user. One from Google. One from Microsoft. One from Amazon. One from Meta/Facebook. If miracles really do happen, you’ll have one for all your online government services, but more likely you’ll have five or six.
If you’re lucky, most of these will have some form of government-backed certification to reassure you of their trustworthiness. And you may even find that some of those digital identities can be used to access other services – although probably not quite as smoothly as the digital identity offered by that other service’s provider.
Perhaps digital identity may also help prevent the sort of egregious fraud seen in the pandemic, where Companies House registered directors such as Adolf Tooth Fairy Hitler and Judas Superadio Iskariot to claim business grants – a situation so out of control that the anti-fraud minister, Lord Agnew, resigned because nobody was taking it seriously.
You’ll pardon, perhaps, the cynicism. But it is all based on the general mess the UK faces as its nascent digital identity market finally – at least five years too late – starts to take shape. The catalyst for all this is impending legislation to enable the use of digital identities that conform to a new governance framework – overseen by a new body, the Office for Digital Identities and Attributes, or ODIA for short. As one wag put it, is that pronounced “Oh, dear”?
The UK had an opportunity to create something genuinely useful for the digital world, but the debacle of Gov.uk Verify pretty much wasted it. A digital identity ecosystem will emerge in the next few years, but it will be so much less than it could have been. Let’s look at where we are…
The Government Digital Service (GDS) is soon to enter beta testing for its new One Login service – a system we were promised was being built collaboratively across Whitehall to maximise its widespread adoption. Is it, therefore, something to worry about that GDS is already advertising on its blog for government departments willing to take part in the beta test?
One Login is a three-year project, with an extraordinary budget of £400m. So far, the product functionality extends to letting “central government services authenticate their users using an email, password and optional two-factor authentication”, according to that blog post. So, it has the absolute basic functionality available from any of the many off-the-shelf single sign-on products already available on the market.
For the next few years, if you want to use probably the most frequent or high-volume online government services, you’ll still use the existing systems – like the 16 million people using Government Gateway to access their personal tax accounts or submit tax self-assessments; or the five million or so people claiming Universal Credit through the DWP’s Confirm Your Identity service; or even the 22 million people using NHS Login, thanks to the NHS App that houses Covid vaccine certificates. Or maybe you’ll use one of the 44 other sign-in methods identified across government services – all of which GDS hopes to replace.
If you do use Gateway, or Confirm Your Identity, or NHS Login, you’ll have a distinct advantage, in that those services don’t only know you are who you say you are – they have already matched you to the data they hold about you. Anytime you want to use a new digital identity system – One Login, say – they will have to match this new identity you have created, with all your data, again. Are you John Smith, Jon Smith or Johnny Smith? Are you Joan Smith from St. Ives in Cornwall, or Joan Smith from St. Ives in Cambridge?
And of course, do you even want government to know, that you are John Smith to HM Revenue & Customs, and Johnny Smith to the NHS? Because then, they’ll be able to link up your data and create a profile of all your interactions with government, in one place.
Or you could just use a password manager on your mobile phone and home computer – they’re free, from the likes of Google and others – so you can have as many different user names and passwords as you like, and you don’t have to worry about forgetting them or writing them down. Just saying.
Meanwhile, the Online Safety Bill promises to introduce identity verification for social media, and age verification for accessing online porn, in addition to existing moves to create digital age verification for purchasing alcohol.
The Home Office is introducing digital identity checks to prove your right to work and right to rent in the UK – originally due to be launched in April, but put back six months because of the small matter that no such digital checks currently exist.
The property industry is introducing a digital identity scheme to ease house buying – helping to reduce the number of times you need to provide proof of identity to all the various parties in the chain.
Some local authorities are looking at digital identity – Newham council, for example, is hoping to “take the lead in convening London boroughs with a view to establishing official digital identity with the framework of a pan-London identity”.
In financial services, The Investing and Saving Alliance (TISA), a cross-industry membership body, has signed up “several leading financial services firms and identity companies” including Barclays, for its digital ID scheme.
Major banks are working on digital identity schemes – and often with various digital identity providers – to meet open banking and anti-money-laundering regulations, particularly for onboarding new customers.
The Scottish government is developing its own digital identity system.
Apple is launching a digital ID scheme in the US this year, which will inevitably reach the UK before long – most likely once it has access to gold-standard government data such as passports and driving licences. If Apple’s doing it, you can bet Google will, for Android phones. And if those two tech giants are successful, it pretty much blows away most of the rest of the market anyway.
Facebook already has an identity verification service, through its 2018 acquisition of Confirm.io.
Of course, all of this multitude / mess of services is meant to be given clarity and conformity by the launch of the overarching Digital Identity and Attributes Trust Framework from the Department for Digital, Culture, Media and Sport (DCMS), which announced plans this month to legislate for the creation of ODIA and laws to support a digital identity market.
Any firms wishing to receive certification to government-approved standards will have to join (and pay for) involvement, in the hope of avoiding a Wild West of providers. The carrot for taking part, and being regulated by ODIA, is access to that gold-standard passport and driving licence data. Frankly, that data is all the industry wants or needs, so it has to play the game. After a rocky start, however, the industry view is that DCMS has listened to its concerns.
The main industry worries now are over the vagueness of when this is all going to happen – DCMS has yet to commit to any timetable for when the enabling legislation will be in place.
While the trust framework is better than nothing, the chance of it ensuring widespread compatibility between all these different digital identity systems, seems vanishingly small. Every digital ID you use might carry an ODIA trustmark, but that won’t necessarily mean that any trustmarked digital ID system will let you log in to every – or any – other service that’s also certified. You will have an approved key to open your door, but that key won’t open every approved lock.
As you may have gathered, everybody in government and across the private sector thinks digital identity is a great idea. Even more so, if you use their digital identity system.
It didn’t have to be this way – but it’s where we are. Chances are, we’ll all be using Apple or Google ID in 10 years. Hopefully One Login might be in use across a few government departments by then, too.