The Government Digital Service (GDS) has a generous £400m budget to develop “One Login”, a single sign-on and digital identity system for government services. But it comes with a nagging sense of déjà vu: although billed as a fresh approach, it’s remarkably similar to the solution implemented in 2001 by an earlier Cabinet Office team at a cost of just £15.6m.
One Login comes hot on the heels of GDS’s troubled £220m+ Gov.uk Verify digital identity programme. GDS spent years cajoling departments to abandon the existing cross-government system and to adopt Gov.uk Verify. Now, after a tyre-screeching policy U-turn, it’s Verify that’s been ditched instead.
None of this policy flip-flopping comes cheap – over £220m to dismantle the old approach, £400m to bring it back again. But just what user needs does One Login solve? Are we about to go back to the past with government identity?
When the UK government started moving services online in the 1990s, there was no easy way for users to prove who they were or to access their services in a consistent and secure way. To solve this problem, in January 2001, the Cabinet Office launched a single sign-on and identification service for citizens, businesses and users acting on behalf of others.
“[The new service will] offer citizens and businesses a single authentication service for all government transactions, such as sending in tax forms. Once a user has successfully registered, they will be able to access services from different departments using a common user ID or digital certificate,” said the Cabinet Office in February 2001.
The service – labelled Government Gateway – offered users the choice of a government login ID and password, or an identity and authentication service from a trusted commercial third party such as Equifax, the British Chambers of Commerce and Royal Mail.
Within 18 months, there were over 4.1 million users, and by 2003, several new cross-government platforms were being added for services such as payments and notifications.
In 2011, 77 national and local organisations were using single sign-on and authentication, and providing 227 live services. By 2017, it had over 50 million user accounts.
After the 2010 general election, the coalition government introduced a new identity assurance programme – it was to become the ill-fated Gov.uk Verify. To replace the existing single sign-on and authentication service, Verify contracted commercial third parties instead, signing up companies such as Experian and the Post Office.
Government policy from 2013 onwards required Whitehall departments and other public bodies to use this select club of private sector identity providers. But Gov.uk Verify ran late and over budget, struggled to meet users’ needs, lost a variety of third-party providers, and became progressively descoped and unloved. It dropped essential features, including support for businesses and users acting on behalf of others.
The result? Public sector organisations, from HM Revenue and Customs (HMRC) to the NHS and the Department for Work and Pensions (DWP), spent hundreds of millions of pounds to update or implement their own identity and authentication services. The Cabinet Office recently revealed the state of the landscape left in Gov.uk Verify’s disruptive wake.
“Currently, there are 191 different ways for people to set up a variety of accounts to access different services on Gov.uk, with 44 different sign-in methods,” according to a Cabinet Office announcement on 13 October 2021.
It’s against this troubled backdrop that the government announced its latest identity programme. Rising from the ashes of Verify, One Login reintroduces a government single sign-on service. However, it inhabits a very different landscape than the one the government faced in 2001.
The identity landscape
Our identity-related data is increasingly moving away from paper to become natively digital. The International Civil Aviation Organisation (ICAO) has published standards for digital travel credentials to provide us with phone-based passports. In the US, mobile driving licences are already being issued onto users’ smartphones, courtesy of standards agreed by the International Organisation for Standardisation (ISO).
Global tech players such as Apple are integrating these new digital “documents” into smartphone digital wallets, as they have our credit and debit cards. Proving who we are or something about ourselves is likely to become as simple in the future as paying for something with our phones is today.
In the UK, the Department for Digital, Culture, Media and Sport (DCMS) is busy consulting on a new digital identity and attributes framework. Tim Berners-Lee, of World Wide Web fame, is promoting Solid, a decentralised identity platform that gives users control of their data and how it’s shared.
In the private sector, a range of companies such as iProov, Digidentity and Yoti, along with challenger banks, are providing identity apps and related services. Open banking has trailblazed trust and authentication between consumers and financial service companies. Large cloud service operators offer flexible, on-demand authentication services that enable organisations to configure, consume and manage single sign-on and authentication at low cost and large scale.
In the same way that we carry numerous cards and documents around with us in our wallets or purses, we’re increasingly doing the same with their digital equivalents on our smartphones.
One Login needs to bring £400m of value to this existing landscape. But the government has an impressive track record of making ambitious top-down announcements, together with an equally impressive track record of failed or late, and costly, programmes – from Universal Credit to the Rural Payments Agency to digital borders to Verify.
One Login will need to get off to a much more credible start than its failed predecessor if it wants to avoid joining it in the digital hall of shame.
What’s the latest plan?
One Login will provide a single sign-on and digital identity solution for government. It includes:
A single sign-on service integrated with a Gov.uk account
Gov.uk Sign in will provide users with a single username, password and two-factor authentication. GDS has claimed it “will become the only way to sign into government services”. Gov.uk Accounts sits alongside Gov.uk Sign in and provides “proactive, personalised and joined-up services” that collect and share users’ personal data.
But what does the introduction of a new system mean for the many services already in successful large-scale use, such as HMRC, with around 16 million users, and NHS Login with 28 million users? One Login already has identical gaps to Verify: it’s initially limited to individuals, not business users, and doesn’t handle anyone acting on behalf of others, such as those with Power of Attorney.
A government identity app for smartphones
The government identity app will help users prove who they are when required. It will provide similar functionality to existing apps with identity services, such as those from the Home Office, NHS, Yoti and the Post Office.
For non-passport holders, or those without other forms of official identification, quite how they’ll identify themselves remains unclear. GDS has stated that it’s “important to make sure we do not exclude users who don’t want to (or can’t), for whatever reason, use an account”. Presumably, there’s also much for GDS to learn from DWP’s work on inclusive digital identity.
One Login appears remarkably like the single sign-on and identity service implemented by the UK government from 2001 onwards. However, resurrecting a bespoke, centralised, UK-wide monolithic identity system in 2021 feels like a retrograde step – identity technologies and services have become increasingly commoditised and decentralised in recent years.
Putting all our public sector-held personal data behind a single account unlocked with one user ID and password seemed like a good idea to get things moving back in the early 2000s. But today we have better options. And the threat landscape is notably different. One security breach or denial of service attack, and everything – from our tax and benefits to our health records – could be compromised.
As the National Cyber Security Centre warns: “[When using single sign-on], if an attacker compromises a user’s account or password, that attacker could have easy access to far more content than they might have in a traditional system.”
Keeping our important public sector relationships and accounts separate also aligns technology better with the political and legal nature of its many organisations, from the NHS to the Home Office.
HMRC already provides an “Account home”. It brings together tax and welfare information. Ironically, it’s built on an updated version of the original Government Gateway single sign-on and authentication system, including two-factor authentication. It’s a more obvious place from which to develop comprehensive user accounts – if they’re needed – than launching an entirely new £400m programme.
Different public sector organisations aren’t “one thing” any more than different private sector organisations are. We don’t log in to different organisations, such as our various banks, credit card providers, loan and mortgage accounts, using the same user ID and password. While undoubtedly convenient, single sign-on has well-known security vulnerabilities, as the many problems encountered by Facebook show.
Rather than the hacker-friendly practice of using the same username and password to log in to multiple services, we’re encouraged to use a different username and password wherever we can, particularly for important accounts. While it might be useful to merge closely interdependent public services and information, such as tax and benefits, as with HMRC’s “Account home”, it’s less obvious why we would want to bundle in everything else too, from our health records to education.
If users are struggling to manage separate accounts for different public sector organisations, they’re likely to be struggling with their other accounts too. In which case, it would be better to follow the NCSC’s advice and encourage the use of password managers as an easier, more secure and less costly option. Doing so would bring wider benefits across the entire digital economy too, not just the public sector.
The identity/data divide
Identity is only one part of the problem. It can often take time, and manual processes, to build trusted links between a user’s proven identity and the unique identifiers, data and records that legitimately relate to that person.
Every organisation – from the DVLA to the NHS to the DWP – needs to ensure that a user is the legitimate owner of a specific set of personal data or records before providing them with access. This data-matching process is often unique to each department, or to each service within a department. Implementing a single sign-on service linked to a proven legal identity does not automatically match someone to the correct data.
Let users manage their own identity
Decentralised models let us manage our digital identity data in the same way we already look after our paper passports and driving licences. They help to avoid the risk of central monitoring and misuse.
If One Login aggregates users’ personal data into one centralised Gov.uk Account linked to their legal identity, it could fundamentally tilt citizens’ relationship with the state, handing government an unprecedented central point of surveillance and insight. GDS has openly blogged about its ambition to “have a consolidated view of user activity across Gov.uk”, with cross-domain tracking and “joined-up analytics” powered by Google. It feels increasingly like an advertising technology (adtech) “mini-me” for government.
While GDS claims it is committed to user consent, privacy and anonymity, it’s not clear how this will be assured once One Login is tied to a proven identity. It’s not an encouraging start that the identity assurance principles to help prevent misuse have been dropped from the new programme.
The government digital identity app could find itself becoming an updated version of the national identity card scrapped by the coalition government in 2010. Even if this isn’t its intent, scope creep is a remarkably irrepressible phenomenon.
The personal data held centrally in Gov.uk Accounts together with a single way of signing in to all our government services shares many characteristics with the National Identity Register.
A political vacuum
Identity is a political issue, with democratic, social and economic implications. Scoping it as a “digital” project starts in the wrong place.
That’s why we need public scrutiny and debate about the objectives of One Login. When combined with other systems, such as Gov.uk, Notify and Pay, the growing use of central platforms provides a potential panopticon – a single point of surveillance. Yet there’s no published policy or technical information to show us how these central platforms are being engineered to prevent this, either individually or collectively.
Some in the digital community have long disparaged Whitehall for being a series of silos that need to be removed to “move fast and break things”. But silos can be a good thing – we use them for nuclear weapons for good reason. The same holds true of much of our most sensitive personal data.
Engineering decisions can have profound policy implications, and vice versa. Every decision made by programmes like One Login can create unforeseen human, political and constitutional consequences. Yet the growing digital centralisation of government is being sculpted by technologists, not our democratically elected representatives.
It’s entirely possible, of course, that the technical teams are designing an exemplary decentralised implementation that will delight Tim Berners-Lee and citizens alike. One that applies rigorous security and privacy engineering, and renders it impossible for any administration, current or future, to misuse. One that places the citizen firmly at the centre of the design and in control of their own data, and that reinforces, rather than undermines, the nature of our constitution, including essential aspects such as the devolved powers of the national assemblies.
However, it would improve confidence if there were more detailed information publicly available, along with routine oversight by, and reporting to, Parliament and the national assemblies.
The UK government should seize this opportunity to become an exemplar of best digital identity practice. If the UK gets this right, it could provide a model of citizen empowerment suitable for adoption by other modern, liberal democracies. It would provide a powerful counterweight to the centralised model of intrusive surveillance peddled both by the adtech global “tech bros” and authoritarian regimes.
Modern approaches to digital identity let users manage and access their own identity-related data, deciding when to use it and which data to release to another person or organisation. They provide privacy, security and resilience, avoiding a single, central honeypot, point of failure, or surveillance.
Parliament needs to play a more prominent role in shaping the digitisation of government. It should oversee a design that reinforces our democracy and consolidates power in the hands of the citizen, not the state. Technology provides the opportunity to reinvigorate democracy rather than undercut it. But for that to happen, technology needs to become much better understood and integrated into the UK’s political process.
One Login has the disadvantage of following in the warm footprints of the programme that preceded it. Verify set back the UK’s digital ambitions, displacing the government’s earlier single sign-on and identity service while simultaneously impeding innovation.
Twenty years after the UK government implemented a central single service, it’s decided to do it all over again (again). But One Login is entering a busy and rapidly evolving landscape. A wide variety of international identity initiatives is already in progress. Multiple identity solutions are live in both the public and private sectors.
To succeed, One Login will need to complement rather than compete with these existing services. However, it’s not yet clear how it relates to live systems such as those of HMRC and NHS Login, or the work of the devolved assemblies, like Digital Identity Scotland, and the many identity apps and initiatives already in use or visible upstream.
But first, there’s a much more fundamental question we should ask: is spending £400m reviving the approach of the early 2000s still the best idea in the very different world of late 2021? That case has yet to be made – particularly since, until recently, the government was proclaiming a very different approach to meet users’ needs.
A good way to build trust and confidence would be for GDS to publish the detailed evidence and research from its discovery phase. The One Login teams should work in the open and make public the programme’s detailed landscape review, together with the analysis of its political, legal, social, economic, and technical options and implications. Doing so would help demonstrate where it adds value – and how it will distinguish itself from what’s gone before.
The Prime Minister once pledged to physically eat an identity card if ever he was asked to produce one. Yet if his government allows One Login to impose the wrong approach, by accident or by design, it may well be his smartphone he’ll need to masticate to the point of destruction instead.
Source: Computer Weekly