BSI starts work on new online identity and authentication standard

New PAS 499 standard could be ready in nine months with implications for identity assurance across Whitehall, advocates suggest The British Standards Institution (BSI) has confirmed that it has started work on developing a new standard for enhanced identity and authentication online.

Details of the standard’s development emerged the same week that the government’s identity assurance platform, GOV.UK Verify, is due to go live, leading to a suggestion that the Verify team within the Government Digital Service (GDS), should consider engaging with both the MIDAS Alliance and the BSI.

That could help produce an identity service that can be used at higher levels of assurance, by organisations as well as individuals, and across a range of sectors, including both the financial services sector and the public sector, as well as being adopted internationally.

The BSI, working with the MIDAS Alliance, believes the standard, known as PAS 499, is a necessity.

Identity and authentication underpin all online transactions, while recent legislative developments, ranging from the Electronic Identity, Authentication and Signatures Regulation (eIDAS) to the General Data Protection Regulation (GDPR), and financial services specific Payment Services Directive 2, have acknowledged a need for greater degrees of cyber security to be adopted.

PAS 499, which advocates believe could be developed in as little as nine months, is expected to give recommendations for identity, validation, verification and authentication for online transactions and services in this context. It will cover privacy enhancing technologies (PET), personally identifiable information (PII), enrolment at different levels of assurance, strong authentication, anonymity and anti-money laundering (AML), liability, device identification, mutual authentication, and biometrics.

A PAS (Publicly Available Specification) is a document that standardises elements of a product, service or process. PASs are usually commissioned by industry leaders, typically individual companies, SMEs, trade associations or government departments. Commissioning a PAS can put the originator in the driving seat for setting the agenda in their sector, helping them work with regulators, set an agreed level of good practice or quality and establish trust in an innovative product or service, the BSI says.

It emerged that GOV.UK Verify would go live this week, probably today. GOV.UK Verify, which aims to allow users to select one of several pre-chosen companies to perform a check on their identity in order to access government online services, had been scheduled to shift from its beta phase to a live service by the end of last month.

Last week, identity assurance programme director Janet Hughes admitted that “live is really just the starting line.” She said, “It means we’ve met the standard required of digital by default services – rightly a tough standard to meet. Users can be assured that GOV.UK Verify is safe, secure, easily improved and meets user needs.”

“It means we’re ready for larger-scale adoption by departments – we’ve got a lot of services in our pipeline preparing to start using GOV.UK Verify over the next year (it will be a gradual, careful, ongoing process, not a ‘big bang’ switchover) and we’ll be posting more about that shortly.”

However, some privacy and security campaigners remain lukewarm on Verify’s progress. Their criticism is that it is an 18 month project that is three years late and which provides only low assurance for central government with a 50% success rate by providers and an order of magnitude fewer people trying to use it than originally predicted.

However, larger departments say they are still evaluating Verify, with DWP weighing up its use for Universal Credit.

A spokesperson for the department has told Government Computing that as it gradually seeks to test and nationally roll out a new enhanced Universal Credit digital service to manage ongoing welfare reforms by the end of the decade, a decision is yet to be made over its ID assurance needs.

“Currently claimants prove their identity by showing ID to their work coach. We are evaluating the Verify system and will announce any plans in due course,” said a spokesperson.

One suggested way forward is for Verify “to stop attempting to paddle” and offer to join in the development of the BSI standard. Some experts believe the new PAS 499 standard could also provide an opportunity for local government to adopt something that perhaps better aligns with what local people are using in the everyday world of internet commerce.

Perhaps significantly, a report published in April by the Payment Strategy Forum’s Financial Crime, Data & Security working group argues for the creation of a technical standard for identity in payments. The standard would “define and recognise the key capabilities that payment service providers need to bring to bring to bear” as well as “the principles of operations related to identity.”

The standard would support innovation in several key capabilities, including identity validation and verification, enrolment and issuance, authentication, information and attribute exchange and confirmation and payment risk assessment.

The document recognises that establishing a technical standard will overlap with a number of other pieces of existing and proposed legislation and rules, as well as a number of industry standards which are not enforced by regulation or legislation, including GOV.UK Verify’s operating rules.

Development of the standard could be outsourced to an organisation such as the BSI, the paper suggests.

The paper proposes the creation of a collaboratively developed framework into which competitive and innovative solutions could be developed. Current initiatives that the paper considers include the MIDAS Alliance, the TISA financial services digital IT initiative, and implementation of eIDAS, a European regulation on electronic identification and trust services for electronic transactions in the internal market.