blvdone - Fotolia

Government preparing to let private sector companies use its Verify identity scheme

The Cabinet Office is talking to banks, insurers and retailers to establish Gov.uk Verify identity assurance as a national scheme

The government is preparing to let people use its new identity management system with private sector companies, in an attempt to establish it as a national electronic identity scheme.

The Cabinet Office has begun informal talks with banks, insurance companies and retailers about giving them access to Gov.UK Verify, the identity assurance platform it developed to replace Labour’s controversial National Identity Scheme that was scrapped in 2010.

It is also preparing to start formal talks to establish technical parity between Verify and commercial identity systems, such as those that vet people logging into bank accounts, applying for finance, seeking permission from insurers, or using credit cards.

Sarah Walton, a former Silicon Valley internet entrepreneur now working as a digital innovation consultant on Verify for the Government Digital Service (GDS), told a conference on 10 June 2015 that GDS was working with industry to work out how its ID scheme could be used outside the public sector.

“We would like the private sector to be able to use Verify for private transactions – buying books, online banking,” Walton told security industry experts at the SDW 2015 conference in London.

The Cabinet Office had begun doing this through the Open Identity Exchange (OIX), which Walton said came out of US president Barack Obama’s identity team in the White House about five years ago. The UK government joined OIX in June 2012.

“In the UK now, we have UK banks joining, and various other UK organisations,” said Walton. “We’ve engaged the banking sector, the insurance sector, and we are moving into the retail sector as well. It’s essential that this becomes more and more comprehensive in terms of organisations involved.”

Such widespread commercial adoption is essential for the sort of identity system the UK has implemented in Verify, Walton said. The US-designed system is a federated identity model, which requires all identity systems to talk to one another.

Identity providers

OIX began as an initiative to make the multitude of different ID systems used by government and businesses compatible with one another. People’s identities would be issued by government-sanctioned companies called identity providers, and their entitlement to perform actions such as claiming social security or applying for a bank loan would be verified by combining data about their history from a multitude of data gatherers called attribute providers, such as credit reference agencies and government departments.

Verify has replaced the previous preference under the Labour government for all ID assurance under one central, national system, with the US preference to make all ID systems part of one compatible ecosystem.

Read more about Gov.uk Verify

Julian White, an identity assurance advisor to the Cabinet Office, told Computer Weekly that Verify would not be just another national ID card scheme under a different guise when it is rolled out to the private sector.

“Under a National Identity Scheme, the government does everything – collects everything and monitors its use,” said White.

“What we are trying to do is decentralise it so the identity providers do all the work. It is still a government scheme. But we can’t see what they do inside. We can’t see all your data. The service provider has this information.”

But the Cabinet Office was anxious about the possibility Verify could be seen as another national ID scheme when the private sector adopted it.

“That’s one reason why we’ve not rolled it out to the private sector – because it’s our rules, our scheme. And all the complexities that go round that need to be addressed. If we spend all our time doing that now we will never get Verify up and running for government,” said White.

Walton told the conference the Cabinet Office wants private organisations to join Verify because that would increase the amount of identity transactions it processed. “There has to be a benefit to the private sector because that’s where we are going to get the volume,” she said.

White said the scheme’s service providers are currently paid by the Cabinet Office. “Whether that’s the funding model that will continue forward, I can’t tell you. But as of today, the service providers don’t pay. We pay centrally.”

Vetting bank customers

Barclays, the first UK bank to join OIX, was also the first bank to become an identity provider under Verify. PayPal and Royal Mail are among the other companies becoming identity providers under Verify, as well as credit reference agency Experian, the Post Office, Verizon and Digidentity. Their participation until now has been as providers of ID assurance services, but banks and companies would become users of Verify as well – to vet their own customers – under this latest Cabinet Office proposal.

Walton would not say which other banks and companies were involved in talks about extending the government scheme. She said the information was private until they had formally joined OIX.

“One of the things we get out of OIX that’s very important for UK government at the moment is we draw all of the UK organisations into the conversation with us,” she said.

“So we are hoping to enable trust. For that to happen with lots of closed market organisations such as banks, we need to have open and transparent conversation and open standards.”

The Department for Environment, Food and Rural Affairs (Defra) was the first to implement the Verify scheme, to allow farmers to prove their identity to claim subsidies. HM Revenue and Customs (HMRC) followed with a trial of the service to help the public complete their online self-assessment tax returns and, more recently, to apply for marriage tax allowances.

Both departments came under fire from some early users who said the system was too complex and could not verify their identity. Currently, Verify uses a limited number of assurance methods and anyone without a suitable record, such as a credit history, would be rejected. Other methods will be rolled out in future.

Towards the end of 2014, the government predicted the service would be used by almost half a million people by April 2015 for services such as Universal Credit claims and updating driving licence details for the DVLA, but roll-out has not proceeded as quickly as anticipated.

Read more on Identity and access management products