Gov.uk Verify – the government’s flagship digital identity system – faces a critical few months ahead. Again.
As the clock ticks down towards the end of March 2020, when further public investment in Verify ceases and the system is taken on by the private sector, significant questions remain over the viability of Verify.
In particular, three major issues need to be addressed:
- Rules of access to government-held data by external identity providers (IDPs) for non-government transactions;
- The cost of IDP services, once the Government Digital Service (GDS) no longer subsidises the fees paid by the Whitehall departments that use Verify;
- The role of Verify in the mooted digital identity ecosystem that GDS needs to stimulate to justify the £175m invested in the troubled programme.
There was a combination of relief and exasperation last month when GDS and the Department for Digital, Culture, Media and Sport (DCMS) announced a consultation and call for evidence on the future of digital identity in the UK.
Relief, from the private sector companies frustrated by their exclusion from Verify, and which believe that Verify’s problems have hindered their market growth. Exasperation, from digital identity experts who understandably ask why has the consultation been left so late, and what has GDS been doing all this time that it now needs to issue such a back-to-basics request for input?
You can’t escape the fact that a programme that’s been running for six years, has waited until less than nine months before it’s handed to the private sector, before publicly asking for advice on the respective roles of the private and public sectors in creating a digital identity market. And even that has only come about mainly because of pressure from DCMS.
At the same time, the longstanding leader of the Verify team, Jess McEvoy, has shifted sideways to a new role. While the Cabinet Office says she remains involved with Verify, her previous job as programme director has been taken on by Lawrence Hopper, formerly head of policy and strategy. Lisa Barrett, director of digital identity since March, is now senior responsible owner (SRO) for the Verify programme.
Further pressure mounted this month when the Infrastructure & Projects Authority (IPA), the government’s major projects watchdog, raised Verify’s status from “amber” to “red” in its latest annual report. “Red” is defined as having problems that are “currently impossible to manage or solve”.
The IPA rating is based on an assessment conducted in September 2018, only two months after an IPA review recommended that Verify be scrapped.
At an event in June this year, Barrett revealed for the first time that the IPA’s concerns related to doubts in 2018 over whether the existing IDPs would continue to support Verify. Subsequently, two of the seven IDPs decided not to, while five signed up to new contracts that should lead to the companies taking over Verify in April next year – theoretically mitigating the problems the IPA identified.
But it’s that critical role of the IDPs, and their commitment to the programme, that remains one of the big issues to resolve.
Access to government data
The most valuable part of the Verify system, as far as the remaining IDPs are concerned, is the Document Checking Service (DCS), a tool that allows them to check a user’s passport or driving licence against data held by HM Passport Office (HMPO) and the Driver and Vehicle Licensing Agency (DVLA).
Passports and driving licences are the highest standard of identity verification available, and as such are essential to the IDPs’ involvement in Verify. Without the ability to check against that data, the difficulties of assuring an individual’s identity are significantly higher – and the business risk for the IDPs is greater.
Computer Weekly understands that when the DCS was created, HMPO and DVLA agreed to allow access to their data to support Verify for the delivery of government services only. According to insiders, neither organisation has given permission for its data to be used in private sector transactions.
Therefore, if Verify is to be used to support private sector services – which GDS wants to happen, and which the IDPs expect to be allowed to do – HMPO and DVLA need to give their approval.
To that end, GDS is to run a small-scale pilot where HMPO data will be used for existing Verify users, operating through an existing IDP, who wish to re-use their Verify identity to access a commercial service, such as applying for a credit card. This will be an important milestone for the use of Verify in the private sector.
The trial may, or may not, eventually include testing the use of passport data for creating a new Verify identity for a non-government service.
Amazingly, the Cabinet Office told Computer Weekly that the design of the pilot will not be finalised until after the call for evidence has concluded in September – meaning that even the limited wider trial of DCS will not start until barely six months before the March 2020 deadline.
It’s also notable that DVLA is not involved in the pilot. Our sources suggest that DVLA is so far refusing to allow its driving licence data to be used for non-government services at all – not even for a limited trial.
This has major potential implications for the IDPs. Only two of those IDPs really matter – the Post Office and Experian, which between them are responsible for over 80% of all the existing Verify users.
The attraction for IDPs of working with Verify comes from customers that signed up to public services – such as Universal Credit or tax self-assessment, the two highest-volume digital services – being able to re-use their Verify identities for commercial transactions.
If, however, passport and driving licence data cannot be used for commercial services, then the ability to re-use a Verify identity is limited. IDPs would not be able to use the trust levels embedded in HMPO and DVLA data to assure those individual users – which means the assurance levels are likely to fall below acceptable criteria for the commercial service, such as a bank or e-commerce firm.
In such a situation, IDPs would need to rebuild those assurance levels from other sources – which is costly, time-consuming, and likely to be a terrible user experience. For a big IDP like Post Office or Experian, this could even undermine their entire business case for using Verify.
Note that Post Office has a further challenge, in that it is acting as a reseller for another of the Verify IDPs, Digidentity, which means the Post Office is probably operating with thinner profit margins. The loss of DVLA or HMPO data would most likely have a greater financial impact on Post Office than any other IDP.
Rumour has it that IDPs have an option coming up in the next few months to give GDS notice they will no longer be involved with Verify after March 2020. If that’s true, then the issues around access to passport and driving licence details could come to a head very soon.
Cost of user verification
Much of the budget for Verify has been spent on subsidising the cost of registering and maintaining users – according to the National Audit Office (NAO), that’s accounted for 38% of costs, which equates to about £60m so far. GDS has, in effect, been paying much of the private sector IDPs’ development costs.
A fee is charged by an IDP for every user successfully registered – about £20, says NAO – and then a lower annual fee for every user that remains active. The charges were renegotiated as part of the new IDP contracts agreed in October 2018 that last until March 2020, to reduce sign-up costs and introduce incremental price reductions as user volumes increase. The NAO said that for Verify to become cost-neutral by April 2020 – the stated government goal – the cost of verifying identities needs to fall by 95%.
However, the Whitehall departments whose online services use Verify, currently pay significantly less than the IDPs are paid. GDS subsidises the fees to make Verify cost-effective for departments, such as HM Revenue & Customs (HMRC) and the Department for Work and Pensions (DWP). Sources suggest that departments pay only £1.20 for the initial sign-up, with GDS funding the remaining £18.80.
It’s also not clear how IDPs are now paid for subsequent use of a Verify account – specifically, whether they charge a cost per login for existing users. GDS won’t discuss sensitive commercial details, but if such charges are being made, this highlights another important concern.
Imagine you’re a major department relying on Verify – such as DWP, where Verify is used as part of its Universal Credit (UC) welfare system – and you no longer have GDS subsidising costs. Benefits claimants on UC are encouraged to manage their account entirely online – requiring potentially numerous logins per month. If DWP has to pay £20 per user up-front, then a further fee for every subsequent login, that quickly starts to become very expensive, especially when UC is rolled out to millions of people.
Verify is set to reach an important milestone soon – five million registered accounts. That’s a decent number – one which could have been seen as a success, were it not for how poorly GDS managed expectations for Verify in its early days and in the 2015 business case, and set a massively over-ambitious target of 25 million users by 2020, against which success has instead been measured.
It’s a chicken-and-egg conundrum for Verify – GDS needs to increase user volumes enormously to reduce IDP fees by 95% to make the system affordable for government after March 2020. But Universal Credit roll-out has been delayed, and as of the NAO report in March, only 4% of HMRC tax self-assessment users opted for Verify over HMRC’s longstanding Gateway login system.
In a recent blog, GDS touted the January 2019 tax deadline as “having the most Verify users during a self-assessment peak”. Let’s see what that means.
According to GDS figures, in the five weeks leading to the deadline, an average of 50,145 users signed up per week. In the five weeks after the deadline, the weekly average was 45,986 – just 4,159 less. That suggests only an additional 20,000 Verify users during the five-week self-assessment peak – an improvement over previous years for sure, but not exactly a figure to generate hyperbole about.
Since then, about 40,000-45,000 new users have signed up with Verify each week – surely not enough to increase volumes to a level that will cut IDP fees by 95% in the next six months. And especially not if DWP were to waver in its commitment to Verify – on which topic, read on…
Verify and the private sector
There has been a noticeable change of language from GDS recently. Where once we were told that Verify would become a national digital identity system across public and private sectors, now we hear that Verify is simply one implementation of the technical standards, known as GPG45, which will underpin the wider ecosystem.
That £175m programme cost seems even more money if its main outcome is agreement on an industry standard and little else.
Already, there are other digital identity schemes starting to emerge from the private sector that may make Verify redundant. The banks, in particular, are finally working together on identity standards in support of open banking and PSD2 regulations. Banks also have to consider rules around money laundering and “know your customer” (KYC).
When McKinsey was brought in to review the Verify programme in 2017, the consultancy concluded that one of Verify’s biggest failures was its lack of involvement from the big retail banks. McKinsey recommended that for Verify to be a success, it would need to be integrated into multiple banking services and attracting new users through those banks, by the end of 2019. Clearly, that hasn’t happened.
While GDS is engaged with the banks on their identity schemes, the aim is interoperability – for a digital identity created by a bank to be re-usable for government services, and vice versa. It’s not about using Verify as part of the banks’ ID schemes.
So that would leave Verify as the technical implementation of GPG45 used within UK central government. But how long would even that last?
We already know that only a single-digit percentage of HMRC users prefer Verify to Gateway. So what about DWP, and the potentially millions of Universal Credit users?
DWP recently announced a procurement exercise intended to “to reduce its reliance on current identity solutions”. For Universal Credit, users first establish a UC login, and then their identity is assured using Verify – with users subsequently encouraged to use the UC login once they are registered on the system.
According to sources with knowledge of the new procurement, DWP wants to further abstract UC login from the underlying ID assurance system used to prove the identity of benefit claimants – currently Verify. This could allow DWP to quickly plug-in alternative digital ID schemes, to eliminate its dependence on Verify. Existing Verify IDPs and other commercial ID providers could then offer their services in support of Universal Credit.
DWP is also understood to have another issue caused by Verify. When the new IDP contracts were set up last year, and two of the previous IDPs dropped out, that disconnected approximately 380,000 Verify users from the IDP through which they signed up.
Verify uses what’s called a “double-blind” approach to protect users’ privacy. This means that an IDP does not know which government service a user wants to access, and the government department doesn’t know which IDP the user has registered with.
Users who originally registered with the two IDPs that dropped out of Verify will be supported by those IDPs for 12 months – after which they will need to re-register with another IDP. Most likely, those users have no awareness of this fact.
For DWP, this potentially means tens of thousands of benefit claimants who may suddenly find their Verify account no longer works. And because of the double-blind privacy, DWP has no way of finding out who are the affected users, nor even how many of them there are.
Imagine what might happen, if large numbers of those disconnected users can no longer access their UC account, even temporarily, and the strict rules around UC mean their benefit payments get sanctioned or suspended?
If other IDPs pull out, especially those with even more registered users, that becomes a massive issue for Universal Credit. Could anyone blame DWP for wanting to mitigate against such an outcome, with all the negative publicity it would bring?
And without those Universal Credit users, what would be left for Verify?