Being able to prove your identity online easily, quickly and safely is recognised as a key enabler of internet use by the government and its users. Providers of public services such as national and local governments, major internet companies, online retailers, banks and others have to address business and security issues around identity proofing and username/password fallibility to mitigate the financial and administrative implications of identity fraud and compromise of personal data.
The Identity Assurance Programme is a core element of the digital by default policy pursued by the Government Digital Service within the Cabinet Office. The programme is working on the development of identity assurance schemes in the UK that citizens, business and devices can use online to assert their identity safely and securely, so that they can access and use public services.
Through a standards based approach, contracted and certified private sector organisations (identity providers) enable citizens to use evidence they own as part of the process for validating and verifying their identity.
Once they have proven their identity with an identity provider, the identity provider can authenticate the identity with multiple public services (relying parties) as and when required to by the citizen.
The programme uses a ‘hub’ (technical intersection) that allows identity providers to authenticate identities to relying parties without:
government centrally storing an individual’s data
privacy being breached by exchanging unnecessary data
either transacting party openly sharing user details
Determining a service's assurance requirements
The owner of the service carries out a risk assessment to understand and quantify the relevant security and information risks to the service. One of the areas covered by the assessment is personal registration and authentication. This determines the level of assurance (LoA) required for the identity of the user.
A number of checks are carried out to prove that a claimed identity is that of a real person and belongs to that user. The higher the LoA required by the service, the more thorough and wider the checks are.
Once an identity has been verified, the user is given a means to authenticate (credential) with the identity provider so that they can assert they are still the owner of the identity.