What next for GOV.UK Verify?
The identity-assurance tool is being used more than ever just as its future grows more uncertain. PublicTechnology examines what might happen to the service in the longer term
Credit: Arek Socha/Pixabay
GOV.UK Verify has never suffered from an excess of popularity.
Work to deliver the identity-assurance tool has been troubled from the outset, and has faced a large amount of scrutiny and scorn along the way.
Having finally launched in 2016 – four years later than had initially been projected – the comparatively tepid uptake of the service, by both government and citizens, has been the foremost cause of the criticism levelled against it since then.
This criticism culminated and peaked, as it so often does, with the publication last year of a scathing report from the House of Commons Public Accounts Committee.
MPs on the committee found that the project was characterised by “poor decisions compounded by a failure to take accountability” that they said persisted to this day. And the product that has ultimately been delivered is “an onerous system that is not fit for purpose”, the committee said.
“The PAC report reflects that this has been a challenging project,” acknowledged a government response that must rank among the most government responses of all government responses.
The challenges were such that, at that point, it had already been decided that the job of meeting them would be better led by the private sector.
In October 2018, the government signed 18-month support contracts with five of Verify’s commercial identity provider partners. At the conclusion of these contracts – which were intended to represent the last money the Cabinet Office would invest in Verify – these partners would assume responsibility for running and funding the platform.
A newly formed Digital Identity Unit – based across both the Government Digital Service and the Department for Digital, Culture, Media and Sport – was created to work with the market. But it is a market whose products would now be entirely owned, and run by the private sector.
Just over a week before these handover contracts were due to end, on 31 March 2020, three of the providers – Barclays, Experian, and SecureIdentity – decided that they would no longer issue any new identities for those signing up to Verify. Existing accounts remain supported, although this is due to end in March 2021.
The departure of the three companies – which followed CitizenSafe and Royal Mail ending their support for Verify in October 2018 – left Digidentity and Post Office as the only remaining options for citizens to create an identity through which they could access Verify.
Date of Verify launch - four years later than the initial intended launch date
Current total of users, compared with a target of 25 million
New registrations since the start of the coronavirus crisis
Number of government services that use Verify - with Universal Credit being perhaps the most significant of these
Remaining providers of new identities
Revised end date for government funding
But at the same time as support from suppliers was waning, demand from citizens was increasing as never before.
Since the start of the coronavirus crisis, two million new claims have been made for Universal Credit, with thousands more continuing to do so.
Initially, all of these claimants were required to prove their identity through Verify – resulting in more than 640,000 new sign-ups for the service since mid-March. New identities, which were previously issued in quantities of about 35,000 per week, were now needed at more than double that rate.
And, in the early days of the crisis, demand was probably significantly higher than this. GDS has claimed that, at their peak, online queues for verification reached 155,000 people.
This figure would come as no surprise to claimants that reported a wait of several hours to prove their identity – a key part of the online application process for Universal Credit.
Since then, investments have been made – by government bodies and Verify’s commercial partners – in increasing capacity. GDS also helped manage the demand peak with measures including “splitting traffic” between Digidentity and Post Office, rather than offering users a choice of which identity provider to use.
For its part, the Department for Work and Pensions provided funding for the capacity-boosting initiatives, and also opened up access to Universal Credit via the legacy Government Gateway platform
Most significantly of all, last month the Cabinet Office announced that it had got approval from HM Treasury to continue funding for Verify for a further 18 months beyond the scheduled 31 March cut-off for ceasing support.
The additional investment effectively means that the contracts that are already in place with the two remaining providers have been extended and “revised”, the Cabinet Office told PublicTechnology.
It declined to provide a precise figure for how much money has been committed by government to the deals, but added: “The chief secretary to the Treasury has given approval to the Cabinet Office to continue GOV.UK Verify operations for up to a further 18 months, in light of the unprecedented demand for key online services using digital identity during the coronavirus pandemic. We will report on the running costs of Verify in the usual way.”
The bigger question is what will happen at the conclusion of the contracts.
The current demand for Universal Credit – coupled with the cessation of support for new accounts from three of the service’s partners – may have provided a clear and urgent impetus to keep responsibility for Verify in-house in the short term.
But, even once demand recedes, the technology – for all the criticism it has faced – is still a key component of a major service, relied upon by millions of society’s most vulnerable.
When it was announced in October 2018 that the commercial market would be asked to take the lead on Verify, it was surely not envisioned that the market for the product would shrink to just two firms.
Given the essential role Verify plays in delivering Universal Credit, government needs to ensure the product remains viable if it enters private ownership – or else is replaced in the benefit’s sign-up process in the next 18 months.
When PublicTechnology asked the Cabinet Office if the plan, at this point, was still to hand the service over to its two remaining private-sector partners at the end of the new contracts, the department first took issue with the question.
“While the government announced in October 2018 that GOV.UK Verify would be transitioning to a private sector-led model, this did not mean ‘handing it over’ to private companies,” it said.
No definitive answer was given as to where the product’s future ownership lies, but the department said “we will provide an update as work progresses”.
Most outside of government – and maybe, privately, many within Whitehall too – would characterise Verify as a failure.
Currently standing at 6.7 million, the number of citizens that have signed up for a Verify account may be a lot smaller than the long-term target of 25 million people by 2020 which, as late as September 2018, the Cabinet Office continued to insist it was working towards.
But those people, and their reliance on the technology as part of the safety net of the benefits system, may just have made Verify too big to fail.
Government needs to decide in the coming months who is best placed to prevent it doing so.
With both the Treasury and Verify’s private sector backers having shown a desire to stop putting money to the service, whatever decision is reached may not be a popular one.
Experts discuss what the lasting impact of the pandemic might be for government and the public sector
As the UK enters its ninth week of lockdown, interim deputy national statistician Frankie Kay calls for organisations to bring their data together to address the nation’s challenges
NHS Scotland is testing its contact-tracing program ahead of a nationwide rollout due later this month
PublicTechnology editor Sam Trendall salutes the outstanding efforts of public sector...
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
CyberArk's John Hurst looks at the true cost of GDPR breaches