Verification and authentication
Verification: proving users are who they say they are
Most of us are used to having to prove our identity in person and can produce a passport, driving licence or other form of photo ID in day to day life, when collecting parcels at the post office, starting a new job or similar.
But it’s more difficult to prove identity in a digital environment, which is where identity providers and identity standards take on the task of verifying a user’s identity online.
PDP will use the principles as set out in the Government Digital Service, Good Practice Guide 45, to define a standard that relates specifically to identity verification and Good Practice Guide 44, which defines the way authenticators can be used to support a user’s access to a service.
Verifying an identity
The user will need to provide information on who they claim to be ie the claimed identity. In many instances this information is provided directly from evidence of an identity, such as a passport.
The identity service will follow a five-step process to establish the strength of the identity claim. It will check that:
- evidence exists for the claimed identity eg a passport, driving licence, bank account
- this evidence is genuine or valid: it will validate the evidence against an authoritative source eg the passport office
- the claimed identity has existed over time: it will check interactions that prove the identity has been active
- the claimed identity is not at high risk on identity fraud: for example, it will check that the identity belongs to someone that is alive
- the identity belongs to the person who is claiming it: more cross-checking, for example, it could compare a selfie to a passport image
The identity service will measure the claimed identity against each of these criteria and allocate a score to each. The combination of scores creates what is known as a profile for the identity.
Confidence in the identity
The identity service then measures the individual profile against a set of default profiles. The default profiles enable a measure of the strength of the claim or level of confidence in the identity.
The levels of confidence defined in GPG45 are:
- very high
For further explanation of GPC 45 and the levels of confidence, see the government’s Good Practice Guide 45.
Proposed levels of confidence for the PDP identity service
The Pensions Dashboards Programme has consulted on the appropriate minimum level of confidence in a user’s claimed identity that the ecosystem will need. The programme is recommending that this will be a medium level, however we are planning to check what practical difference applying a high level would make as part of our alpha testing phase of the programme.
A medium level of confidence might not sound very high but it is the level that PDP believes it requires for dealing with sensitive data, such as pensions information. It’s also consistent with many financial services offerings, the same as DWP uses for the ‘Check my State Pension’ service and will often be higher than the level a data provider will have in place already.
To reach this conclusion, we took into account:
- what information the user needs to use the service
- what information the service gives the user access to
- what the service or user can do with that information
As this all feeds into the level of risk that’s involved in data controllers releasing the pensions information to users via dashboards.
Authentication: proving a returning user is the same as previously verified
Once a user has verified their identity, the identity service does not repeat this process if they return to a dashboard. Instead, the identity service needs to establish that it is the same individual that was previously verified.
It does this using authenticators to confirm information known about or provided to the verified identity. PDP will require the identity service to use more than one authenticator, otherwise known as two-factor (2FA) or multi-factor authentication (MFA).
An authenticator is something that the user knows, has or is that will confirm their right to access the ecosystem. An example in widespread use would be when an individual accesses a website using a password (a secret) and this triggers a text to their phone (something the user has) with a code that the user needs to input to enter the website.
Typically an authenticator will be either:
- something the user knows (often referred to as a secret)
- something the user has (mobile phone, chip and PIN card)
- something the user is (biometric information)
A secret can take the form of a password, PIN or answer to a question that only the user knows (also known as knowledge-based verification). It’s usually used with either another piece of information, such as a username or email address , or a token, such as a chip and PIN card, single use authentication code or digital certificate.
Biometric information is a measure of someone’s biological characteristics, such as their fingerprint or facial recognition or behavioural characteristics, such as their signature.
Authenticators can be low, medium or high quality, depending on how secure they are. Their quality will be determined by how the authenticator was:
- created by a user, or manufacturer if it’s a physical token
- managed (ie how it is issued, updated and deleted when no longer in use)
- captured (for biometric information)
Also factored into any assessment of authenticators is :
- a recovery processes for forgotten, lost and stolen authenticators – enabling the rightful user to recover access
- a revocation processes so that authenticators can be cancelled, and access denied
- monitoring of the credential as it is in use to detect misuse or hijack
By assessing the strength of the authenticators individually, and in combination with other authenticators (in a multi factor authentication approach), an assessment can be made as to the level of protection provided.
GPG 44 defines 4 levels of protection:
- very high
The higher the level of protection, the more secure the service can be seen to be, however the steps to achieve very high, for example, are more difficult for users to achieve. We need to strike a balance between the strength of the authenticators and the process that the user will need to follow.
For further explanation of GPG 44 and the levels of protection, see our the government’s Good Practice Guide 44.
Proposed levels of protection for the PDP identity service
Aligned with the level of confidence in the identity, the programme is recommending that authentication is ensured at a medium level of protection.
A medium level of protection is appropriate if it provides users with access to sensitive information. The programme’s view is that pension data presented under the find and view options will be classed as sensitive.
In the event that transactional capability is added to the scope of the service, then it is likely that we would adopt a high level of protection.