The long-term future for Verify has been in doubt for some time, with the Infrastructure and Projects Authority, out of the Cabinet Office, urging back in July that the initiative be abandoned due to lack of confidence and take-up at ground level across government departments.
Certainly the official government statistics around Verify usage make for pretty grim reading. The ambition was to have 25 million users on board by 2020; As of today, the official numbers on GOV.UK are just over 2.9 million users. Only 18 government services are using Verify, with only 38,700 existing users signing in last week, a rate of usage that’s down from 41,200 back in July.
The trick now is now to back away from further investment without losing any more face at the failure of Verify to become the cross-government standard it was supposed to. The solution is to push it out to an ecosystem of private sector providers using government-backed standards. Over the next 18 months, that’s what the Department for Digital, Culture, Media and Sport (DCMS) - which won policy control over Verify in June as part of its digital land-grab from the Cabinet Office and GDS - will be doing.
There will be one last spurt of “capped” funding to top off the estimated £130 million that GDS has spent on Verify to date, then it’s all about a “private sector-led model”, confirmed Oliver Dowden, Minister for Implementation in the Cabinet Office.
A great success...apparently
Dowden did his best to spin this development as a validation of a successful government IT programme:
Since its inception, GOV.UK Verify has sought to create an effective standards based digital identity market in the UK. International examples point to the challenges in successfully creating a secure digital identity framework for the public and private sector. I am proud that the UK is regarded as a global leader in this space, and that the innovative assets and standards created by the GOV.UK Verify programme have been utilised by numerous international Governments.
The envy of the word, as they say in satirical circles.
So now, with all that success under the UK Government’s collective belt, it’s time to launch Verify into a private sector where, presumably, the expectation is that a thousand flowers will metaphorically bloom. Or as Dowden put it:
GOV.UK Verify is now sufficiently mature to move to the next phase of its development. The private sector will take responsibility for broadening the usage and application of digital identity in the UK. I can confirm that contracts have been signed with a number of private sector identity providers, for an 18 month period, and with capped expenditure. These commercial arrangements formalise the transition to a private sector led model.
The Government will continue to provide state backed assurance and standards to ensure there is trust and confidence in the emergent digital identity market. The Government expects that commercial organisations will create and reuse digital identities, and accelerate the creation of an interoperable digital identity market. This is therefore the last investment that the Government will provide to directly support the GOV.UK Verify programme. It will be the responsibility of the private sector to invest to ensure the delivery of this product beyond the above period.
That responsibility is being passed over to commercial concerns despite Dowden’s insistence on the crucial need for identity management tech as part of national security:
The Government has an immediate and growing need for digital identity…Poorly secured services are vulnerable to attack from cyber crime and other hostile activity. GOV.UK Verify enables citizens to securely prove that they are who they say they are to a high degree of confidence when transacting with Government online. It is a major enabler and a critical dependency for Government’s digital transformation.
In truth, Verify was in fact always meant to be delivered by the private sector, following the creation of government standards and assurances. The theory was “I need to authenticate someone, the request goes to the market of providers, and citizens take their pick of solutions or the cheapest provider wins”.
However, given the recent parliamentary report calling for the scrapping of Verify, the timing of this announcement is suspicious. The harsh reality is that Verify just hasn’t had the uptake that was committed to and authentications are running at less than half of those who try (47%).
Sad to say that if Verify is deemed a ‘failure’, GDS has to carry part of the blame. While £130 million is small beer in the grand scale of IT project failures, there’s a sense lingering that Verify became such a ‘pet project’ that ‘market realities’, such as poor adoption and, crucially, the tangible lack of support and enthusiasm from other departments, were ignored.