In May 2019, the Digital Identity team at Government Digital Service (GDS) wrote a blog post about the work we've been doing to improve the government's identity standards.
After rewriting our guidance on how to prove and verify someone's identity, we decided to turn our attention to one of the other Good Practice Guides (or GPGs) that make up the identity standards - GPG 44.
GPG 44 is guidance about authentication. Authentication is the term used to describe the way a user signs in to an online service. A user does this using something called an 'authenticator'. An authenticator could be anything from a username and password to an image of their face.
Authentication is different to identity verification. A user does not always have to prove their identity to do something online, but they will usually always need a way to sign in to a service.
Why the guidance needed improving
GPG 44 had not been updated since 2014. The way online services are designed and built has changed a lot since then. This meant that a lot of the concepts and technology referenced in the guidance were out of date.
For example, the previous version of the guidance did not reference two-factor authentication (2FA) at all. This is when users sign in to a service with a combination of 2 authenticators instead of just one, for example an email address and a code from an authenticator app.
Over the past few years, 2FA has become a popular way for service teams to protect their services. But our guidance did not include anything about how service teams should best set up 2FA. We have now fixed this, as well as refreshing some of the other outdated parts of the guidance.
We also wanted to improve the general usability of GPG 44 and make it more accessible, in every sense. The previous version of the guidance was quite prescriptive. It was very focused on telling service teams what they must do without giving them much explanation as to why they should do it.
We know that service teams know a lot more about the needs of their service than we do. Instead of just telling service teams what to do, we now give them enough information about authentication to be able to make decisions for themselves.
Finally, the way the previous version of the guidance was written did not follow content design best practice or GDS style.
For example, it was written using a lot of technical language. We know that technical language and jargon can have an impact on how well specialist and non-specialist users understand content.
How we improved the guidance
We decided to rewrite the guidance in plain English. A content designer wrote the new guidance with a subject matter expert to make sure it was correct and clear.
We also worked closely with other government departments and agencies on the guidance. We then iterated it based on feedback from organisations in the public and private sectors.
This gave us plenty of opportunities to find out which parts of the guidance were still unclear, and gave us enough time to fix them before it was published.
As a result of this, we ended up with a piece of guidance that we knew a wide range of different organisations could follow and understand.
Finally, we published the new version of the guidance in a more accessible format. The guidance was previously only published as a PDF, which made it harder to find, use and maintain.
The new version of the identity standards has been published in the HTML publication format, which means it's more accessible and compliant with open standards.
Identity assurance in the Service Manual
At the same time as improving GPG 44, we worked on adding some new guidance to the Service Manual about checking users' identities.
The Service Manual is a collection of guidance for teams building government services.
However, until recently, it did not include any guidance about why checking users' identities (also known as 'identity assurance') is an important part of designing and building a service.
We've added some guidance that explains more about the benefits and different uses of identity assurance. We hope it will make it easier for service teams to make a decision about whether or not identity assurance can help their service as they design and build it.
Why the new guidance is important
Over the past few years, many organisations have turned interactions they'd usually have with their users in person, by post or over the phone into online services. More recently, social distancing caused by the COVID-19 outbreak has meant more and more of these interactions and transactions can only be carried out safely if they happen online.
For a lot of the teams running these types of services, it's important to know who is on the other side of the screen. Not knowing this could increase the risk of identity fraud, leading to financial, reputational or even physical harm for their organisations and users.
Being able to recognise if someone has used a service before or knowing that they are the person they're claiming to be has never been more important. Both pieces of guidance we've recently published will make it easier for service teams to do this.
What's next
GPG 44 is one of several pieces of guidance that will help organisations check identities in a secure and consistent way.
Over the next few months, GDS content designers and digital identity experts will be working on more guidance to support the growth of digital identity across the UK. We'll have more to say about this in the autumn.
If you’re interested in providing feedback or supporting our work on future guidance and standards, please email iax@digital.cabinet-office.gov.uk.