British face authentication firm iProov has won £17.5 million in contracts from the UK government as part of its One Login programme, while the government’s digital ID framework moves into beta.
The Government Digital Service, part of the Cabinet Office, agreed a brace of two-year contracts with iProov in June, with both contracts starting from 27 July 2022. One £11.6 million contract covers document checking, including capability to read biometric passport data via NFC on Apple and Android devices, as well as OCR for machine-readable documents; the second £5.9 million contract covers biometrics.
Following contract awards in February and April to Deloitte for consultancy work on One Login for Government, the new agreements mean development of the digital ID service is gathering pace. If the project stays on its original timetable – no laughing in the back – One Login could launch in some form by the end of 2022.
The need for a single comprehensive login system covering all government departments and functions has always been clear – and yet thus far unachievable. The government’s previous attempt, Verify, died even more quickly than expected when HMRC stopped using the service prematurely, causing chaos and frustration.
While One Login will only cover government services, DCMS is also moving forward with development of a “digital identity and attributes trust framework” under the Office for Digital Identities and Attributes, created in March. An alpha version of the framework was released almost exactly a year ago – and in June 2022 DCMS published the beta version.
“Over the past 18 months, we have worked with over 250 organisations across civil society, industry, standards bodies, and academia to test whether we’ve got these rules and standards right,” said then-minister for digital Julia Lopez in her foreword.
“We will use sandboxes and live market testing to ensure that the trust framework is fit for use in the real world. Testing during the beta phase will also allow industry to show consumers how trustworthy digital identity and attribute products can benefit them by offering simple and secure ways for people to prove things about themselves,” she added.
Most of the changes to the framework have added detail and granularity to the alpha version, with organisations able to specify roles more specifically, or see more detail on flows of information. Biometric testing requirement has been beefed up, and new approaches to user agreement will be trialled.
One significant change is the removal of the need for trust framework participants to send and receive data only with other participants of the framework, as this requirement “could jeopardise some providers’ business models”. Now participants can share data with bodies outside the framework – with some caveats.
“We have introduced a requirement for providers to provide information on the services used in their supply chains, including whether they are trust framework participants, during certification. Certification bodies will periodically report this information to the governing body in an anonymous and aggregate form,” said the notes on changes to the framework.
“The governing body will use the information to monitor the market. This will help establish where there is demand for particular types of certified providers, assess the security of the market and observe how the digital identity and attributes market is progressing. This will support the governing body to actively review its position on this issue.
“It is possible that future trust framework iterations may include an expectation to only share and receive identity and attribute data with other trust framework participants.”
In a similar vein, other changes to requirements for using data schemas or joining via a scheme were loosened, but with the possibility that later versions of the framework may tighten these elements once again.
Various bodies, including BSI, the Law Society, UKAS, Credas and NQA are either involved in or closely monitoring development of the framework. For enterprises or organisations which are likely to be impacted by the adoption of the framework, it is worth getting in touch with the relevant industry body.