Today the digital ID tender which was published on 4 August reaches another milestone, as the six-week period that prospective suppliers have had to prepare their tenders has come to a close. We will start the process of evaluating the responses next week.
Previous blogs in this series have mentioned the discovery and alpha projects we have taken part in through the OIX project framework. The report on the alpha project was published on 25 August – see below for the link. The prospective suppliers who have registered their interest in the tender at www.channelislandtenders.com have had early sight of it. They also received the following introduction to the report which is reproduced here as part of our commitment to transparency on this project.
Start with user needs
The first of our digital design principles is to start with user needs. As previously blogged, in September and October 2016 we ran three rounds of user research to establish how Islanders felt about using a digital ID. In particular we explored a hypothetical solution similar to GOV.UK Verify whereby identity verification is carried out by a choice of third-parties. There were some findings specific to a federated model, such as the importance of the identity providers being readily recognised company names. There were also findings that are of relevance to any type of digital ID solution:
Perception of security
The user research highlighted a clear need to publicise the introduction of a digital identity scheme to help inform people of the benefits and reassure them that the service is genuine.
We saw that older people know not to trust unfamiliar websites and to think twice before typing in their financial details or other information that would be valuable to a fraudster intent on stealing their identity. Older users were more comfortable with the concept of digital ID if they had read and heard about the new system in advance.
One might assume that young people would be savvy about cyber-security. Perhaps surprisingly, a number of the young people that took part in the research barely hesitated in entering their passport number or answering knowledge-based verification questions.
When questioned about why Jersey needed a digital ID system and what the mocked-up system was for, it took some people longer than others to answer that this was to help protect them from identity theft.
If suppliers have practical experience in promoting digital ID schemes based on their solution this will help accelerate take-up.
Any digital ID solution introduces an element of friction the first time the user interacts with the system. People need to assert their identity and provide evidence to support their assertion – “I am Marcus and here’s some existing photo ID and other documents that show that’s true”. In subsequent usage they need to prove that they are in control of whatever token they have been issued to when they log on – “Here’s proof that I am the same Marcus that you dealt with previously.”
In the mocked up process that we used in testing, the intention was that it would take the user no more than ten minutes to verify their identity as a one-off exercise, and no longer than a minute to subsequently log on with it. The tests indicated that if the user saw enough value in the online service that they were accessing then they were willing to spend ten minutes obtaining a digital ID.
In a transaction like changing address it is essential to establish the identity of the person. This avoids someone’s correspondence being redirected without their knowledge as a first step in stealing their identity. This was less clear to users than, for instance, applying for a Social Security benefit where the risk of financial loss to government was obvious.
People were also mindful that while online services are the most convenient, the fallback of attending a government office to carry out a transaction remains. If the online process wasn’t significantly easier than going to the department or their parish hall they would ‘vote with their feet’. Only some of the participants had changed their address recently and knew how tedious it is to have to complete a different process at each States department. Suppliers must be able to demonstrate a really slick process for onboarding users that has been fine-tuned through observation of many different users over time.
Digital ID solution providers may have differing needs in terms of the extent of access to government data needed for their system to work. Some may be highly dependent on it, while others may be entirely self-contained. We have not yet built the APIs that suppliers may need. Toolkits, and assistance with integration, will enable us to integrate more services quickly once the supplier has been selected.
Building an identity solution for Jersey using off-the-shelf software components (be they commercial or open source) is one approach that suppliers may take. We experienced that ‘the devil is in the detail’ and the handshaking between the different components was where by far the most time and cost was consumed.
Working in the open
Sharing these learnings in the open allows potential suppliers to ensure that they have these key aspects covered when they come to present their solution to us. It also helps Islanders and the media to understand the type of issues that the project team are grappling with in work that otherwise goes unseen.
The full report on the Alpha project that included our user research, testing of integration using an off-the-shelf solution and the use of government data for identity verification can be found here.