The Government has restated its commitment to delivering pensions dashboards in a written statement.
Identity service
The identity service allows users to prove who they are so they can find their pensions.
It ensures pensions data is requested by users with verified identities and returned to the same user.
This gives pension providers, schemes and the Department for Work and Pensions (DWP) State Pension confidence that the user is who they say they are and that they have authority to receive the pension information.
PDP has chosen GOV.UK One Login as the identity service provider.
How the identity service works
When users interact with the identity service
The identity service will be integrated into the central digital architecture in the dashboards ecosystem.
When a user asks a dashboard to find their pensions, the consent and authorisation service passes the user to the identity service to verify their identity.
Identity verification
Users provide evidence to the service to verify their claimed identity.
Users can currently prove their identity with GOV.UK One Login using their:
- web browser and the GOV.UK ID Check app
- web browser and at the Post Office
- web browser to answer security questions
Find out more about how users can prove their identity.
The identity service follows a 5 step process to establish the strength of the identity claim. It will check that:
- evidence exists for the claimed identity (for example, a passport, driving licence, bank account)
- this evidence is genuine or valid (validating against an authoritative source like the Passport Office)
- the claimed identity has existed over time
- the claimed identity is not at high risk of identity fraud (for example, ensuring the identity belongs to a living individual)
- the identity belongs to the person who is claiming (using cross-checks such as comparing a selfie to a passport image)
The identity service measures the claimed identity against the criteria and allocates each a score.
What attributes the identity service verifies
The identity service will verify certain attributes to confirm users are who they say they are and help them find their pensions information. Pension providers and schemes may wish to consider which attributes the identity services verifies as this can help in determining their data matching policy.
Data that is verified or self-asserted will be distinguished with assertion flags, as described in the data standards.
Verified items:
- first name
- last name
- date of birth
- email address
- mobile number, if used for 2-factor authentication, but may not be provided if the citizen chooses to use an authenticator app
Unverified items:
current address
UK addresses are checked to exist, and through credit records, demonstrated as having an association with the user. The address is not verified to be the user's current address. GOV.UK One Login will check if the addresses are associated with fraudulent activity.
Addresses with a claimed association to the user will be marked in the find request as 'type: O' (data standard 1.021).
Address will always be marked as code 'U' as per data standard 1.022 (address verification), since it is not verified as a current address or an attribute of the user's identity.
Attributes included in the find request
The user’s verified details are added to information self-asserted by the user, which may include National Insurance number, previous names, addresses, email address and mobile phone number. This is the ‘find’ request. This information is sent to pension providers and schemes to match the user to their pensions information. If a user successfully proves their identity, the find request will always include the following core identity information:
- first name
- last name
- date of birth
- email address
If the user has provided a mobile number (for 2-factor authentication) this may also be returned to pension providers and schemes.
Authenticating returning users
Users will not repeat the identity verification process when returning to a dashboard. Instead, the identity service will check that the user is the same individual previously verified.
To achieve this, the user will log in to the identity service with account details they created in their first visit. This includes two-factor authentication (2FA), ensuring it’s the same individual.
Overseas users with a UK registered pension scheme
Being in the UK will not be a requirement to use the service. Users outside the UK may not have a UK address or National Insurance number. The only constraint on using the service will be the ability of the identity service to verify their identity.
Under-18s usage of pensions dashboards
It may be possible for under-18s to use pensions dashboards. The identity service will not prevent them from verifying their identity. However, they may be unlikely to be able to prove their identity where verification requires credit record checks for example.
GOV.UK One Login
GOV.UK One Login is the strategic identity solution for government. It lets users sign in and prove their identity so they can access their chosen government service quickly and easily, using the same email address and password.
Why GOV.UK One Login was chosen
GOV.UK One Login is already used by government services, so potential dashboard users may already have GOV.UK One Login accounts and verified identities. This would make the dashboards user journey much shorter.
Ensuring a secure service
Good practice principles
PDP is following principles in the Government Digital Service (GDS) Good Practice Guide to ensure a quality and secure service:
- Good Practice Guide 45 defines the standard for identity verification
- Good Practice Guide 44 defines how authenticators support a user’s access
Identity confidence
The levels of confidence defined in the GDS Good Practice Guide 45 are:
- low
- medium
- high
- very high
Identity claims in the ecosystem will require a medium confidence level. This will be reviewed as part of ongoing testing.
To reach this conclusion, PDP consulted with industry through a call for input, we evaluated the risks involved with data controllers releasing pensions information, considering:
- what information the user needs to use the service
- what information the service gives the user access to
- what the service or user can do with that information
Medium confidence is consistent with or higher than many financial services and is the same level DWP use for the ‘Check your State Pension forecast’ service.