Skip to content | Skip to comments

Identity and Authentication

Successful and trustworthy online public services require appropriate levels of authentication and trust. Authentication and trust is a two-way dialogue: both parties in the online process need to authenticate each other to establish mutual trust.

Some services require no authentication or verification of identity whereas others require high levels of assurance. The state does not need to gather comprehensive personal information into its databases in order to be able to deliver better public services. Not does it need to nationalise citizen’s personal identity: that undermines the very trust required to be successful.

Single sign-on, “joined-up” government services do not require a single identity token or single identifier. Indeed, the UK government has effective policies around the use of trusted identities from third parties (such as banks, Royal Mail and other organisations) developed in the early 2000s. President Obama’s team has recently taken up those UK policies and shown how they can deliver a vibrant, effective and citizen-centric approach to identity – one that the UK now needs to re-discover.

Citizens should be able to be anonymous and/or pseudonymous where appropriate in their online interactions. For example, it would not be appropriate for whistleblowers, abused spouses and children and others to be forced to disclose their true identities. Children posting online might wish to hide, for very good reasons, the fact that they are children, their age and so on.

An effective UK identity framework needs to ensure that it provides various levels of trust, identity and authentication. And to recognise that no single entity can – or should – collate an overview of all citizen’s activities. A design that uses a single, state-issued identity to be used in a variety of transactions and which always confirms a single specific identity is both inappropriate and insecure, and potentially dangerous in many daily contexts. Technology enables better, more secure, more privacy-aware and risk-managed solutions: ones that are a better fit to citizens’ needs and the design of twenty-first century public services.

The UK, without a track record of national identity structures like those in other countries, has the opportunity to put into place a well-designed, twenty-first century identity framework that will raise the standard across both public and private sectors – and do so in a way that works for citizens, businesses and government alike.

Key principles

  1. Government is just one potential identity provider of many: it does not, and should not have, a monopoly on citizens’ identity and authentication
  2. Government’s role is to ensure an overall governance framework for UK identity, but to confine its own identity-issuance and authentication functions to those areas where it is relevant (eg passports for people wishing to travel; driving licenses for those eligible to drive).
  3. Government should support and promote the use of federated identity and minimal disclosure

Specific recommendations

Things to do

  1. Establish an independent public/private identity strategy organisation (along the lines of the Monetary Policy Committee), which spans public, private, voluntary, EU & international perspectives. It will take responsiblity for defining and maintaining the all-up identity framework for the UK
  2. Speak with the Obama team who have taken the original UK identity and trust model and see what lessons can be learned for re-incorporation into the UK approach
  3. 90 days after the formation of the identity organisation, publish the UK’s proposed identity strategy for comment and review
  4. After 120 days, adjust in line with feedback and establish the new governance regime
  5. Identify “quick win” projects that will enable effective online authentication for public services using a federated identity and trust model (integrated benefit claims forms, etc): establish rapid deployment teams to deliver change and implement the new model
  6. Migrate the existing Government Gateway to (1) support minimal disclosure tokens (2) support federated identity including potentially Chip & PIN style authentication (3) not act as a “man in the middle” (4) remove phishing vulnerabilities (5) provide an API/toolkit for rapid adoption by orgs wishing to use federated identity (6) support CardSpace and client-based authentication protocols
  7. Open up direct.gov to (1) enable third parties, including local govt, to host govt services (2) stop being a monolithic portal (3) provide consistent APIs and data formats
  8. Architect an internal identity/authentication layer within the public sector that utilises the same information architecture design as external services

Stop, challenge or review

  1. Remove ownership of identity strategy from IPS/Home Office (an effective and comprehensive identity strategy needs to be based on citizen, business and public service needs, not a narrow border control agenda)
  2. Establish an independent inquiry to establish why so many wrong decisions have been made about identity since around 2005, Ministers mis-informed, costs over-run and so on
  3. Review the risk and liability models associated with using an authentication credential intended for one domain in another (eg using a bank card or a Passport or a driving licence in a context other than that which it was designed for)

Continue, support or resume

  1. Resume the UK’s former identity and authentication trajectory of the early 2000s …. policies that support federated identity and trust models and the intermediary policy … and government as just one player not THE player



RSS feed of comments One Response to “Identity and Authentication”

  1. Phil says:

    I’d re-cast ‘An effective UK identity framework needs to ensure that it provides various levels of trust, identity and authentication’ as ‘Any effective identity assurance framework (in the UK or elsewhere) needs to ensure that it provides various levels of trust, identification and authentication’. Your wording implies a single framework, and – unlike every instance up to that point – I feel its use of the word ‘identity’ is a bit imprecise.

    Similarly, I’d say principle 1 should read: ‘Government is just one potential *credential* provider of many: it does not, and should not have, a monopoly on citizens’ identity and authentication.’

    Principle 2 is more problematic. Government’s role may be to ensure/enforce proper governance of any identity assurance framework(s) operating in the UK – though its record to date makes it a pretty poor candidate. It may even have a place in establishing standards – if it can get over its obsession with its own administrative convenience. But ‘an overall governance framework’ could easily be misinterpreted to mean ‘one ring to rule them all’…

    Governments don’t issue identities. So, ‘credential-issuing and authentication functions’ or ‘identity assurance’ would be far preferable to ‘identity-issuance and authentication functions’.

    Principle 3: why not ‘adopt’, rather than ‘support and promote’? A bit of ‘leadership by example’ might help rehabilitate trust…

Your feedback

Comments are now closed.