The Identity Standards and Fraud team at the Government Digital Service ran an event last month to share knowledge about how different government departments are tackling identity checking. It established a community of interest for people working on identity in government, but also helped our team get a bit closer to our users.
Our team publish standards and guidance about identity checking and support GOV.UK Verify. The guidance helps product and service teams work out what identity checks are appropriate for their users.
We’re currently updating it to make it easier to use, so we do regular research with users of the guidance. This event gave us an opportunity to hear from a much larger group of people about the challenges government is facing around identity.
It was prompted by a suggestion on the cross-government user research Google group, and more than 60 people expressed an interest in getting together to share experiences around how they’ve approached similar problems.
What happened on the day
Services check user identities in different ways and for different reasons, from physically looking at a document to apps that use facial recognition technology.
So the day focused on 2 questions:
- What do we know about the experiences of users proving their identities?
- What patterns and approaches can we share?
People from 18 organisations attended and we heard from a range of them, from teams coming out of discovery through to improvements on a live service. We heard about:
- user needs the Scottish government identified in its discovery work
- work on improving the Verify hub to prepare users for identity verification
- the shift to digital and how that changes risk of identity fraud to services with Land Registry
- the work content designers from GOV.UK have done to make it easier to choose between multiple identity options on start pages
- NHS Digital’s identity solution, now in private beta
- how the identity standards work, and a vision for the future of standards-based identity in the public and private sectors.
This was a group of people who had not met before and did not have a clearly stated goal or purpose. We ran a series of activities to find out what the group wanted to tackle and discuss using liberating structures methods.
These methods help encourage meaningful participation from large groups, without the loudest voices in the room dominating the conversation. They also helped us get to some prioritised actions for the group.
In our discussion, we found that we shared some common challenges.
The first was that there are common groups that are difficult to verify online. These include young people, people with limited internet access or digital skills and those who do not have a stable address history. We need to keep looking for ways to include these often vulnerable groups.
We also talked about the need to integrate online and offline identity processes. For example, checking a document like a passport thoroughly in person takes training and equipment. But if this was connected with a reusable digital identity, that trust could be used to access other services.
Even if we’re not close to ways of doing this, we need to make sure online identity checks are not a barrier to users accessing services. Alternative channels such as face to face need to be accessible and visible.
Another common challenge was getting the balance right between ease for users and security. Users are trying to access a service, not prove their identities for the sake of it. Enabling people to verify themselves online can create huge opportunities for service transformation but for some users the level of checking needed can create a barrier.
We talked about the need to help users build up trust over time rather than proving their identity all at once. For example, this could mean doing a lightweight identity check at the beginning of the service and then asking users to add more evidence if they want to do higher risk things, like viewing personal details.
Another way to make things easier for users is to let them reuse a digital identity they already have - such as a GOV.UK Verify account - so users can sign in rather than going through an identity checking process each time they use a new service.
It was an interesting and productive day thanks to people sharing their work and questions.
As a group, we agreed to do 2 things. A lot of user research and service design is happening in relation to identity, so we agreed to get together to share insights and patterns more often.
The second is that there are gaps in conventional approaches to identity for departments dealing with businesses and proxies - such as if a carer is accessing information on behalf of someone else - so people will be exploring these approaches further.
This event highlighted some gaps in the current guidance for people working out how to check the identity of users. It helped us to understand a bit more about these gaps and connected us to a community of potential guidance users who we can now involve in future research.
An important part of planning research is to distinguish between stakeholders and people who use our guidance in their work. Events are often more focused on engaging stakeholders than working with potential users, but this event taught us a lot about the value of planning engagement and research together.
We’re continuing the discussion about these things and more on the #checking-identities group on the cross-government Slack, and the checking-identity Google group. Please join us there.