Summer launch planned for GOV.UK Verify private sector testing
Three companies in place to set up a ‘Sandbox’ environment to test separate hubs that can potentially link the finance and retail sectors to Whitehall ID assurance platform
Three companies are set to provide identity hub services to support the Cabinet Office’s ambitions to link its GOV.UK Verify platform with the private sector in a test environment designed to inform a potential live service at a later date.
With the Government Digital Service (GDS) intending to expand GOV.UK Verify users from 1.18m to 25m people by 2020, companies, as well as the wider public sector, are viewed as potential areas to build up interest.
To press forward with these aims, Mvine - a company classed as a small or medium-sized enterprise (SME) – as well as SiteKit and Safran have been named as meeting the requirements to initially support a ‘Sandbox’ strategy with a view to creating an open market for trusted identities.
This would have applications for both government and commercial services that could theoretically support individual user identity assurance needs, as well as those of business and agencies that are currently supported by a separate Whitehall identity solution called the Government Gateway.
The environment is understood to have been set up to allow various parties and bodies including the insurance, banking, retail, transport, as well as healthcare sectors, to test and trial linking up services with Verify in safety. Live transactions will not be handled through the Sandbox and are expected to be supported at a later date via a separate arrangement.
A total of 30 organisations expressed interest in being part of the Cabinet Office engagement to look at testing potential for using its ID assurance platform with the online services of various companies. The initial aim was to shortlist around four of these companies, it is understood.
However, three companies have so far been able to meet calls to conform with and complete a required self-certification process and then demonstrate a working identity hub to the Cabinet Office.
Verify is designed to remove the need for a central database of information, instead asking users to select one of several pre-chosen companies to perform a check on their identity in order to access online services at a level of assurance (LOA) 2 security standard. This equates to a level of assurance for identity services that would stand up in a civil court.
However, the exact timelines to launch a potential live service for private sector organisations to start using the platform are still uncertain and a potential point of contention may arise in the differing needs of companies and government. Whitehall is understood to want to undertake beta projects for up to 18 months.
This may yet require a more fast tracked approach from the Cabinet Office with regard to the technical and commercial terms it may offer through the programme to meet commercial interest.
According to Mvine director Frank Joshi, like Verify itself, the sandbox will work to LOA 2 standards. However, the company claims its ID hub function will be able to add additional attributes from multiple sources, based on user consent, for applications that may need further assurance.
“Different levels of assurance with different sets of attributes to different Relying Parties,” he said of the process. “This is true distributed digital identity at work. It must be able to do this for the private sector whose variations are greater than public sector in terms of what information is required to assure a given identity. “
The decision to trial a separate hub alongside Verify that would allow private sector bodies to link through to the platform has stemmed from a government need to avoid concerns about the selling of identities to companies. It is also intended to curb the need for a plethora of commercial agreements that may limit potential for uptake by organisations.
At present, the GOV.UK Verify Sandbox is expected to go live during the summer in an attempt to boost the reputation of the platform. GOV.UK Verify has faced criticisms from parliament and some identity providers regarding current adoption rates and the platform’s current remit.
This challenge of expanding user numbers in particular, as well as datasets that can support the service, has been identified by GDS as a key ongoing area for development since Verify was classed as a live service last year.
In potentially moving towards a future live service where private bodies might choose to link with Verify, it is believed that the current three ID hub suppliers would be required to negotiate terms with any additional attribute providers that may support their service. Contracts will also have to be agreed with any private sector bodies wishing to make use of Verify to allow access to their services.
David Rennie, industry engagement lead at the Cabinet Office, has previously pledged to address private sector interest to explore and test how Verify may work with their operations without impacting the existing service.
"To address this we are working with organisations interested in building test environments that simulate how they might connect to certified companies,” he said last month.
“These environments will enable these organisations to understand some of the implications of a private sector Verify framework, including the requirements involved in connecting to Verify and the path to live operations.”
Related articles:NAO recognises GDS’ transforming role but warns of growing pains