In December 2018, we blogged about what’s next for Verify. The programme’s main aim continues to be to help users create, use and reuse digital identities across public and private sector services.
One way we do this is by publishing and maintaining identity standards. In response to feedback, we’re now improving the standards to make sure they are easy to follow and use.
That’s why we’ve rewritten the government guidance on identity checking.
To do this, we worked closely with the cross-government Identity Standards Working Group, threat intelligence experts on the Verify programme, identity experts on the Verify programme, identity experts from other countries, and private sector organisations.
Why the identity standards are important
While the Service Standard helps the government create and run good digital services, the identity standards help public and private sector organisations know that their users are who they say they are. This minimises fraud and error that can cost organisations, and the taxpayer, significant amounts of money.
Providing a standardised way to check identities means an organisation can feel comfortable reusing identities that another organisation has already checked.
This also means that, soon, a user could have just one identity account that they use to access multiple public and private sector services. For example, it could be possible for a user to use an identity account they created to access a government service to also access their online bank account.
It will also help build trust between users and organisations. The user can be sure their identity will be checked securely, which makes it less likely that someone else could pretend to be them.
GOV.UK Verify is an example of a product that was built to meet the UK’s identity standards. It gives users a way to create a digital identity which they can then use to access multiple government services.
Why the identity standards needed to be updated
To encourage more organisations to follow the identity standards, we decided to make them more comprehensive and easier to understand and use.
We started by trying to understand how people use the existing identity standards, which are made up of several pieces of guidance, known as Good Practice Guides (or GPGs). Perhaps the most important piece of guidance is GPG 45, also known as ‘Identity proofing and verification of an individual’.
We published the first version of GPG 45 in 2012 and carried on updating it until 2018. However, we wanted to expand on some parts of the guidance, such as biometrics and how to check someone’s identity remotely.
We also wanted to find out how people use GPG 45. We spoke to users of the guidance from a range of departments, agencies and private sector organisations across the country.
Making the guidance easier to understand
Our research showed that the guidance was difficult to understand and interpret. This is because it was written using a lot of technical language. This supports what we already know about how technical language and jargon can slow down both expert and non-expert users. For example, research into legal communication, by Christopher Trudeau, professor at Thomas M. Cooley Law School in Michigan, found that the more complicated the subject, the greater the reader’s preference for plain English. It also found that the more educated the person, and the more specialist their knowledge, the greater their preference for plain English.
That’s why we rewrote GPG 45 in plain English. A content designer pair-wrote the new guidance with subject matter experts to make sure it was both correct and clear.
The guidance was previously only published as a PDF, which made it harder to find, use and maintain. More importantly, PDFs can often be bad for accessibility and rarely comply with open standards.
So, the new version of the identity standards has been published in the HTML publication format.
Helping more services and organisations meet the standards
We’ve added a lot more ‘identity profiles’ to the new version of GPG 45. Identity profiles are combinations of different parts of the identity checking process which help users get a level of confidence in someone’s identity. Thanks to the additional identity profiles in the updated guidance, there are now more ways for services to meet the guidance and get the level of confidence they need.
We’ve also added guidance on how to check someone’s identity remotely and worked with the National Cyber Security Centre to explain how to use biometric information for identity checks.
The new version of GPG 45 has been published on GOV.UK, but the work doesn’t end there. We’ll continue to iterate the guidance based on users’ feedback and technical advancements in identity checking.
As part of our continuing improvements, we’re looking at what other standards and guidance could be helpful for services that need to trust and use digital identities. We’d like to know if you or your organisation have experience designing, running or taking part in standards-based frameworks – please email email@example.com.
We’re also designing a new tool to help services check whether their existing identity checks meet the identity standards. Email firstname.lastname@example.org if you’d like to take part in the user research we’ll be doing for this work.