Beyond go live: what next for GOV.UK Verify?

With platform now classed as live service, ID assurance programme head Janet Hughes rules out expanding use for age checks or full replacement of Government Gateway

As promised, the GOV.UK Verify ID assurance platform today switched from a public beta to a live service with the simple removal of an online banner, yet work continues to develop functionality and standards that will support individual access to central and local government services.

Planned to link up gradually with 50 government services online, Verify aims to allow users to select one of several pre-chosen companies to perform a check on their identity in order to access government online services at a level of assurance (LOA) 2 security standard. This equates to a level of assurance for identity services that would stand up in a civil court.

Rather than a like-for-like replacement of all the functions undertaken by the longstanding Government Gateway system, Verify is intended – over time – to handle all login and enrolment functions for individual users looking to securely access government public services online.

Janet Hughes, identity assurance programme head at the Government Digital Service (GDS), said that there were no plans to look to consider using Verify for other Government Gateway functions like business service transactions with departments.

“We did some discovery work on this, probably a couple of years ago now, where we investigated, given what we’re building, should we look at businesses and agents as part of this? We did some joint work with the Department for Work and Pensions (DWP) and HM Revenue and Customs (HMRC) in investigating that over some weeks and months,” she said.

Citing the significant different challenges in not just dealing with ensuring the correct person with authority in a company is able to access these online services, but also the very specific needs of different departments, Hughes said it was decided not to use Verify for corporate access needs.

“For example, if you are the Intellectual Property Office, you need to know particular things and have particular risks to do with the service you are offering. So it’s very important that confidentiality is maintained at all costs. Whereas if you are HMRC you have a very different set of risks and issues to think about,” she added.

“So at that time certainly, we couldn’t see a case for a cross-government approach, other than to the extent that cross government standards are valuable so there is consistency in the level of security that is offered.”

While not drastically changing the current functions of the service, Hughes said that the switch to a live service classification this afternoon had meant work could move forward on expanding potential opportunities with local government.

She added that with the platform’s digital by default service standard and privacy impact assessments both being completed last week, the end of verify’s beta phase was more of a symbolic, if exciting development for the platform.

“The other thing it does mean is that we are ready to start thinking much more actively how Verify might be used outside of central government as we have always built it with that in mind and standards have been designed [for this purpose],” she said.

“We’ve obviously been working through the Open Identity Exchange (OIX) and doing pilots and discovery projects for ages, but we’re now thinking much more actively, in collaboration with the private sector, local authorities and others, about bits of or all of Verify that can be reused.”

Building on existing work with Warwickshire County Council around verifying and sharing personal data using common standards derived from Verify to support applying for the Blue Badge parking concessions, a “wider range” of pilot projects with authorities were being planned.

“We’ve had a workshop with interested local authorities and we’re now looking at where are particular opportunities to do more pilot work this year and some more beta work. So this would be using live data and real people to do real things, rather than prototypes which is mainly what we have been doing with Warwickshire,” she said.

With Verify now classed as a live service, Hughes argued there remained a lot of work ahead as part of the iterative design and development to link the platform with a growing number of government services.

However, she said it remained vital to “relentlessly focus” on the core aim of GOV.UK Verify, as opposed to hypothetically trying to expand its scope in areas like age verification as an additional potential use.

Although there had been no formal request to consider handling age verification under GOV.UK Verify, Hughes said that there has been industry discussion around the relationship between the platform and age checks. She said this was an area her team had quite deliberately not sought to get actively involved in, outside of providing advice on how a standards-based approach may help.

“One example where it’s been speculated we could help solve a problem is age verification. While it’s true that is a related thing, you ought to be able to do this anonymously for numerous purposes. So you shouldn’t have to say who you are in order to demonstrate you are over 18 or over 65 of whatever it is you are trying to prove.”

Although discussions had been held over the relationship between standards for identity and age verification, Hughes said she believed it was important and best for Verify to resist any possible temptation to expand its scope due to the additional complexities of such a focus.

She added that as a result of its ongoing focus around shared and interoperable standards and ongoing involvement and discussions with the Open Identity Exchange (OIX) group, the GOV.UK Verify team nonetheless did take part in discussions around age checking.

“It is really important that we have those places where we can take part in those discussions and make sure we are part of the overall community of people trying to solve all these problems,” Hughes said.

In the same week that Verify has completed its live service switchover, the British Standards Institution (BSI) confirmed it was working on putting together a means of identity management to be used at higher levels of assurance by organisations and individuals alike.

Working with the MIDAS Alliance, the BSI said the proposed standards, known as PAS 499, would be a necessity in a changing European data regulation landscape.

Hughes said that although it was early days for the BSI’s work, her team within GDS would look to be involved in discussions about the standards.

“We’re particularly interested as the MIDAS work that comes out of it is actually primarily focused on the payments sector and that’s where the genesis of this work is,” she said.

“We’re really actively involved in that sector, both in the banking sector and financial sector, because the Verify standards, which are aligned with other international standards were designed to help meet a much wider number of requirements other than those of central government.”

Hughes argued it was important to ensure interoperability between these different standards.