Guidance on identity assurance for government departments and service providers.
Find out more about our approach to identity and privacy on the Identity Assurance blog.
Being able to prove your identity online easily, quickly and safely is recognised as a key enabler of internet use by the government and its users. Providers of public services such as national and local governments, major internet companies, online retailers, banks and others have to address business and security issues around identity proofing and username/password fallibility to mitigate the financial and administrative implications of identity fraud and compromise of personal data.
The Identity Assurance Programme is a core element of the digital by default policy pursued by the Government Digital Service within the Cabinet Office. The programme is working on the development of identity assurance schemes in the UK that citizens, business and devices can use online to assert their identity safely and securely, so that they can access and use public services.
Through a standards based approach, contracted and certified private sector organisations (identity providers) enable citizens to use evidence they own as part of the process for validating and verifying their identity.
Once they have proven their identity with an identity provider, the identity provider can authenticate the identity with multiple public services (relying parties) as and when required to by the citizen.
The programme uses a ‘hub’ (technical intersection) that allows identity providers to authenticate identities to relying parties without:
- government centrally storing an individual’s data
- privacy being breached by exchanging unnecessary data
- either transacting party openly sharing user details
Determining a service's assurance requirements
The owner of the service carries out a risk assessment to understand and quantify the relevant security and information risks to the service. One of the areas covered by the assessment is personal registration and authentication. This determines the level of assurance (LoA) required for the identity of the user.
Provisioning identity assurance
A number of checks are carried out to prove that a claimed identity is that of a real person and belongs to that user. The higher the LoA required by the service, the more thorough and wider the checks are.
Once an identity has been verified, the user is given a means to authenticate (credential) with the identity provider so that they can assert they are still the owner of the identity.
- Detailed guide
Provisioning supporting security services
This content sets out the important contribution that Transaction Monitoring (TxM) can make in helping to counter the risk of electronic attacks against online public services.
Users wishing to sign in to online government services using identity assurance need to prove their identity using a certified identity.
The Identity Assurance Hub Service SAML 2.0 Profile describes the authentication process from the perspective of identity providers, service providers and matching services.
There are also specifications associated with this profile describing:
- the attribute data that may be required during the authentication process to government services using IDA
- the levels of assurance asserted by identity providers