GOV.UK Sign in: End-user digital identity checks
The report for GDS's GOV.UK Sign In: End-user digital identity checks service alpha assessment on the 15th of September 2021
Service Standard assessment report
GOV.UK Sign in: End-user digital identity checks
| From: | Central Digital & Data Office (CDDO) |
| Assessment date: | 15/09/2021 |
| Stage: | Alpha |
| Result: | Met |
| Service provider: | Government Digital Service |
Previous assessment reports
- N/A
Service description
The end-user digital identity checks in GOV.UK Sign in allow users of government services to easily prove their identity as part of accessing online services. The identity checks are designed to meet the levels of confidence described by the government standard for identity (GPG45). Users will use a wide variety of UK and non-UK documents to prove their identity. In the future users will be able to complete identity checks in non-digital as well as digital channels. All the identity checks happen inside the user’s GOV.UK Account and can be stored to be reused again and again in the future.
Service users
There are two main user groups:
- end-users. These are the people proving their identity to access central government services. This includes anyone and everyone that uses any government service. They are the primary focus of this alpha assessment
- service teams. These are the teams of people across government who run services which need to do identity checks with GOV.UK Sign in. They are mostly out of scope for this assessment (see below for more details)
1. Understand users and their needs
Decision
The service met point 1 of the Standard.
What the team has done well
The panel was impressed that:
- the team has recognised that conventional personas would not do justice to the complexity of users’ lives and needs, and is instead using a ‘mindsets’ model
- the team has used previous research and insight from Verify to inform the direction of the alpha and built on that knowledge as they’ve done further testing
- the team has used a variety of methods to understand the wide variety of users and their very complex needs. Their determined and thoughtful approach to understanding what is needed to make an identity service available to everyone was particularly impressive
What the team needs to explore
Before their next assessment, the team needs to:
- the team are planning mini discoveries to understand the needs of potentially excluded users concurrent with the private beta. In the next assessment it will be good to see how research from both the mini discoveries and observations from more realistic testing during private beta work together to inform work to make the service more inclusive
- the team plan to do further research to understand users with access needs. It will be good to see the impact of this at the next assessment
2. Solve a whole problem for users
Decision
The service met point 2 of the Standard.
What the team has done well
The panel was impressed that:
- the team recognises that their service is just incidental to what the user is trying to do, and risks feeling like a roadblock to them
- the team has considered the value to users of transparency around being handed off to a different service versus the value of seamlessness
- the service aims to make someone’s verified identity usable across government services, reducing the burden on both users and services
- the team have plans to work out how to share document information between their service and the one a user is actually trying to use, to avoid the user being asked for the same document details twice
- the team is planning to make it possible for services to hand off to the identity service at any point in their service journey
3. Provide a joined-up experience across all channels
Decision
The service met point 3 of the Standard.
What the team has done well
The panel was impressed that:
- the team is working with other government departments in a number of ways, having learned from Verify’s adoption challenges, for example involving DBS (the initial private beta service) in research sessions and having colleagues from the services using the identity service embedded in the service team - this should help to avoid disjointed journeys
What the team needs to explore
Before their next assessment, the team needs to:
- ensure that the design of any elements (for example emails or forms) involved in diverting a user to an offline channel maintains the sense of one coordinated service
4. Make the service simple to use
Decision
The service met point 4 of the Standard.
What the team has done well
The panel was impressed that:
- the team tried 3 very different ways moving users through the service over 3 rounds of testing, and is now focusing on one that uses successful elements from all 3
- the team started with minimal content - including error messaging - adding more only as the need for it was identified and validated
- the team has plans in place for weekly design reviews in beta between teams in the programme
5. Make sure everyone can use the service
Decision
The service met point 5 of the Standard.
What the team has done well
The panel was impressed that:
- the programme has a strong focus on inclusion
- the team recognises the opportunity government data (such as benefit payments) provides to potentially create further knowledge-based identity questions, thereby widening the range of people who can more easily prove their identity
What the team needs to explore
Before their next assessment, the team needs to:
- continue to test with users who have minority accessibility needs
- test a wider range of ‘unhappy paths’ with a wide range of users
- have a plan to provide an adequate range of alternative channels for people to use the service, including those who can only do their household admin outside normal business hours
- understand any specific barriers - including emotional barriers - that might be faced by trans users and users who have had frightening experiences with governments in other countries
6. Have a multidisciplinary team
Decision
The service met point 6 of the Standard.
What the team has done well
The panel was impressed that:
- the team have all the expected roles in place including SMEs working alongside them
- the team have a good mix of civil servants and contractors working across the service
- there has clearly been a lot of thought on the structure of the team in relation to the teams working on other parts of the service which is being regularly reviewed as the service matures
What the team needs to explore
Before their next assessment, the team needs to:
- be clear on the live service management approach and how this can be scaled
7. Use agile ways of working
Decision
The service met point 7 of the Standard.
What the team has done well
The panel was impressed that:
- the team are working in an agile way with a range of ceremonies and techniques
- the team are working as part of the wider programme within 6 week cycles and regular sharing to ensure alignment
- the team have access to all the appropriate tools and are considering how they will need to adapt this as they return to the office
- the team have appropriate governance arrangements in place which are being reviewed as the service matures
8. Iterate and improve frequently
Decision
The service met point 8 of the Standard.
What the team has done well
The panel was impressed that:
- the team were able to demonstrate how they have iterated based on user feedback
- the team have considered future areas to consider and focus on as they continue to build the service in private beta
What the team needs to explore
Before their next assessment, the team needs to:
- ensure they continue to learn and iterate as they expand the service to a wider user base
- ensure they continue to learn from and iterate the service in the context of the wider programme
9. Create a secure service which protects users’ privacy
A large part of the issues around security are dealt with in the authentication sub-service, which uses existing GaaP components and has already passed Alpha assessment.
Decision
The service met point 9 of the Standard.
What the team has done well
The panel was impressed that:
- threats and attack vectors are well analysed and sensibly mitigated
- the team conducted early engagement and work with NCSC on threat modelling
What the team needs to explore
Before their next assessment, the team needs to:
- develop better clarity on data retention, and work with content leads on how this is communicated effectively to the end user in order to preserve trust
- take an evidence-based and easy-to-support decision on the single vs multiple points of trust
- keep an eye on the evolving regulatory landscape/policy so that the impact on the service is minimised
10. Define what success looks like and publish performance data
Decision
The service met point 10 of the Standard.
What the team has done well
The panel was impressed that:
- the team clearly recognises the importance of measuring success and have a well thought out plan for how they will measure this in private beta
- the team recognises the need to adjust expectations depending on the service journey it is being used within
- the team has identified KPIs that sit within a wider performance framework
What the team needs to explore
Before their next assessment, the team needs to:
- ensure they continue to build on the work done to date to consider and and adapt their framework and KPIs as the service expands to new user groups
11. Choose the right tools and technology
The team showed a good mastery of the platform and tools, worked with existing components, and explored new solutions in sensible ways
Decision
The service met point 11 of the Standard.
What the team has done well
The panel was impressed that:
- the team explored of a variety of solutions
- the team conducted thorough analysis of the state-of-the-art
- the team built good connections to the broader landscape and future context, for example through the discussion with the W3C Verifiable Credentials Working Group
What the team needs to explore
Before their next assessment, the team needs to:
- take a final decision on replatforming on AWS Lambda
- decide to move away from the existing DCS service if appropriate
12. Make new source code open
The team released high-quality source code in a way that should be considered exemplary to other projects.
Decision
The service met point 12 of the Standard.
What the team has done well
The panel was impressed that:
- the open source repositories are well structured, documented, and relate to the “live” service
What the team needs to explore
Before their next assessment, the team needs to:
- keep the open source repository up to date and well documented
13. Use and contribute to open standards, common components and patterns
Broadly speaking, the service uses common components and implements an open standard. There is nothing to contribute externally at this stage, although the service itself might be an enabler of data sharing.
Decision
The service met point 13 of the Standard.
What the team has done well
The panel was impressed that:
- the team considered data sharing issues according to open data values and open standards
- the team is using design system patterns and GOV.UK content styles, and is planning on feeding back their research findings into the design system community
14. Operate a reliable service
The team has proactively analysed reliability issues using relevant data from the existing services (Gov.Uk Verify, DBS)
Decision
The service met point 14 of the Standard.
What the team has done well
The panel was impressed that:
- the team has done extensive groundwork via GOV.UK Verify and heeded useful lessons about, for example, requirement for a support rota
- the team uses performance data from the DBS service in order to scope the service
- the team conducted gap analysis of existing expertise/resource vs those that need to be developed, for example the team recognised that the service will run on AWS Lambda for the first time, and they sought to look connections with other services running on it
- future needs were correctly identified
What the team needs to explore
Before their next assessment, the team needs to:
- work out how to transition from Gov.UK Verify, particularly identifying when to sunset it