Five essentials for making digital data verification a success
With over 20 years in the industry, our Digital Services CTO Aislinn McBride has seen it all when it comes to digital identity verification. In this article she outlines the five key areas that have to be considered on any project that involves verifying someone’s identity digitally and how a combination of the latest technology, ethical considerations and working with the end user can lead to the best end result.
Verifying an individual’s digital identity has been a challenge for as long as the internet has existed And despite huge leaps forward in technology, there are still many areas where identity checks – for anything from validating a mortgage applicant to verifying a potential childcare provider – are predominantly paper-based, combined with a good degree of face-to-face engagement.
It’s understandable, given the risks that can be involved. Working on big projects like online passport renewals – projects which directly impact the lives of citizens – I’ve seen Chief Information Officers (CIO), Senior Information Risk Officer (SIRO) and Senior Responsible Officers (SRO) shudder when the topic of digital identity comes up. But at Kainos we have also seen that addressing challenges head on can lead to positive user outcomes and better, more efficient services.
During my 20 years working in digital technology, I’ve worked on dozens of projects involving digital identity verification. So I have a keen interest in the various methods of digital identity verification used around the world, from the UK’s own Government Gateway and Verify, to further-flung examples like Estonia’s eID card, Australia’s use of trusted third parties or Pakistan’s centralised database. I’ve also followed the development of global third-party services like Onfido – which provides document checking – and Yoti, which offers end-to-end digital verification, including reverting to a call center and face-to-face verification where needed. All of these solutions make use of different kinds of technologies, from the simple, like identity cards, to the more complex technologies like biometrics – for those who want to know more, the World Bank published a paper on the various technologies available which is a comprehensive overview, despite being a couple of years old.
One of the things I’ve learned both from my own experience and closely following developments in the area is that despite using different technologies and approaches, and offering different outcomes, there are things about successful digital identity verification projects that remain consistent. That’s why there are five key areas that I – and the team at Kainos – always consider on any project involving digital identity verification.
1. Collect verifiable facts, not data
It's easy to get bogged down in collecting masses of data, simply because we have the capability or opportunity. We see this particularly in the verification process, where individuals can be asked to provide extensive identification, full documents or background information.
But do we really need all this information? As my colleague Ricky Walker, Public Sector Head of Technology at Kainos, says: “What we must focus on in any digital identity verification project is the verifiable facts. We don't actually need to know everything about an individual; it might be that we just need to know that they are over 18, or even the basic fact that the person in question is alive!” And Ricky is spot on – if we start from the position of identifying just the facts that need to be verified and the data required to support only that, we are more focused on keeping the data we collect, store, and share, to a minimum.
A great example is when users are asked to provide their full passport documents to verify identity, when all that’s really needed is the specific attribute that needs to be verified. This explored in detail in the UK DCMS Trust Framework, which aims to outline what good looks like, create a governance approach and drive legislative change to support a smoother digital journey.
2. Earning user trust through transparency
The question of trust is getting harder, not easier. People are increasingly informed – they are asking for more openness and are making their voices heard. Trust applies to the service itself, to third parties that are used to validate data, and any organisations who front the processes too. This means being clear on what data you are collecting, why you’re collecting it, and who can access it.
Earning trust is a particular challenge where third parties are introduced to supply SAAS services or a managed service and control part of the process. This can result in a disjointed experience with confusion leading to eroded trust.
And linking back to my first point – where services ask for too much information, it degrades trust and results in questioning the service itself.
3. Ask yourself: is it worth it?
Time is precious. People put a high value on their personal time and the use of their brain space. With so much of our digital life spent in real time engagement through social media, online ordering etc, delays due to manual back-end processing have a direct impact on dropout rates. For government, this is a huge problem as citizens are not getting access to much needed services. And for commercial organisations, this degrades their impact and access to their market.
So what can you do about it? As my product consultant colleague Chirag Agarwal poured over the options for identity verification to support passport renewals in the UK, this was the question at the front of his mind and key to the success of this service. He found there were two key points to focus on.
“Firstly,” he says, “ensure that completing the verification process is worth it for the end user. Secondly, make sure you’re carrying out identity verification at the correct stage of the user journey.” He’s right - verification is often positioned up front, as we have a tendency to connect it to account creation, but this often can, and should, be disconnected.
For example, if an individual is applying for a grant, their identity may not be relevant until the point of paying out the grant, so we don't need verify any earlier. But if identity information does need to be gathered as part of the process, verification checks should be performed in the background, while the user continues their journey through the service.
Finally, and perhaps most importantly, verify to the minimum level required for the specific activity – are you sensing a theme here?
4. Use the latest tech
Where users are more digitally enabled, we should give them greater control of their data, using the likes of local digital wallets, where users hold their own verified facts and can share the data as they choose, right down to attribute level. The key is to make this a seamless experience, ideally with tools that users are already familiar with and trust.
Of course, on the flip side we have to remember that not all users are digitally enabled. But we can optimise for increased technology while also providing strong alternative routes to ensure widespread coverage.
5. Don’t neglect inclusion
With an estimate of over 1.1 billion individuals globally without official proof of identity (2018 World bank), approximately 13% of adults in the UK don’t have a smartphone (2020 from Statista). That’s a huge percentage of any userbase.
These individuals can’t be overlooked. In fact, often they are in most need of these kinds of services, particularly those provided by governments. There is no “one size fits all” solution – experiences need to be tailored to ensure everyone can be supported in a way that’s simple and accessible to them. Some people need a more direct interaction than an online form can provide, while others need a third party to perform actions on their behalf both in the short and longer term.
Thankfully, there are already many great solutions in existence that can support all parties, and it’s vital that these solutions, or other necessary adaptations, are included as a core part of the service, and not as an afterthought.
Digital identity verification dos and don’ts
- Don't ask for it unless you really need it - narrow it down to just the facts you must verify and nothing more
- Be open and transparent about what you’re collecting, why and who will access it
- Give users as much control as possible and demonstrate that you’re treating their data with the sensitivity it deserves
- Assume users are busy and distracted – the end-to-end journey needs to be easy and worth it for the return they receive
- One size doesn’t fit all – services need a range of access points which should be optimised to provide a smooth experience
It’s easy to think of digital identity as a “Digital Twin” of a person, similar to how we digitally map buildings or objects. This can lead to replicating full data representations of people, building masses of data. On the surface, this seems to have many advantages – it gives huge control and incredible insight into people, both as individuals and a group.
But as Ricky says, this route can be dangerous. The downsides are numerous – it quickly leads to the trust issues outlined here, it requires huge effort to manage and secure and it inevitably ends up out of date. And at a national level, this approach opens a higher risk of nation state cyber-attacks with potentially huge impact. Whereas if individuals, in control of their own data, built their Digital Twin for themselves, held and controlled by them, this will be more accurate, less risky and will inherently build trust.
Remember: get the data that counts
Einstein once said “Not everything that can be counted counts”, and that’s the key to success. Focus not on what you can ask, but what you need to ask, and you won’t go far wrong.