Here’s my paper providing an overview of Federated Identity for Access to UK Public Services: 1997-2020 (PDF):
As its catchy title suggests, it provides an historic overview of the UK Government’s approach to federated identity over the past 23 years, segmenting the journey into three stages:
- the 1990s, and early government work with third parties from 1997 and the publication of its first authentication framework in 1999
- 2000 onwards, and the continuing development of the authentication frameworks for individuals and organisations; the creation of tScheme and the use of accredited third parties; and the launch and development of the government’s first federated identification and authentication platform (the Government Gateway)
- 2010 onwards, and the continued iteration of the government’s authentication frameworks; the renewed interest in the use of tScheme accredited third parties; and the launch of the government’s second federated identification and authentication platform (GOV.UK Verify), along with other related work including that of HMRC and DWP. It also briefly considers three issues—the role of third parties, “identity”, and privacy—that have proved consistent, and important, thematic elements throughout this journey, and concludes with a summary of the current status.
It isn’t intended to be history for its own sake—it aims to improve situational awareness and hence narrow the gaps between long-standing policy aspiration and technical implementation. I think there’s an opportunity to make significant progress in the coming year or so, but only if we learn and apply the many lessons of what has often proved a somewhat circular and repetitive odyssey. Consider this for example—it’s from the Cabinet Office in 1996, a year before the UK Government started experimenting with trusted third parties:
Some transactions with government (e.g. to claim a benefit) require proof of financial circumstances. This might be provided by one or more financial institutions such as a bank or a building society. Clearly, such institutions cannot send information about their customers to government on a regular basis. However, an arrangement might be put in place whereby a customer could authorise government … to request specific data from financial institutions. Arrangements would have to be put in place between government and financial institutions, to enable such authenticated requests to be forwarded and responses supplied to government.
That was written twenty-four years ago. Twenty-four years. And yet it sounds remarkably similar to what could now be achieved with an appropriate agreement between say users, Open Banking and public sector service providers. After all, the value of verified attributes was recognised long ago as being at least as important as “identity”—the government’s original 1999 authentication framework has numerous references to attributes, including the need to ensure:
… that the attributes associated with the identity are consistent, accurate and recorded in standard form.
Possible measures to ensure that attributes submitted … are accurate include … requiring that a trustworthy person or organisation confirm the information given.
Maybe its time to reset and radically simplify the technical approach—whilst ensuring trust through effective privacy and security—to reflect this pragmatic policy of 2000:
– work with a range of trusted service providers, to ensure interoperability with government processes
– identify where the marketplace is adopting suitable technologies for secure transactions and access, and ensure that the Government makes full use of these to meet electronic service delivery targets
All a bit “back to the future” perhaps, but worth reconsidering the second point above in particular given the rich variety of identity-related initiatives available that government could now tap into. Anyhow, read the paper and see what you think.