The UK government has revealed its plans to introduce new legislation to securely handle the introduction of digital identities for use throughout modern society.
Announcing the news on Thursday following a consultation period, the Department for Culture, Media, and Sport (DCMS) said it sees digital identities being used in place of physical documents like passports and driving licences.
Online verification that requires scans of such physical documents will soon offer the opportunity to use a digital identity instead. The digital equivalent can also be used to buy age-restricted items in retail stores, such as alcohol.
The digital identities will not replace physical documents, the DCMS said, but can be used if anyone wants to - there will be no obligation to create a digital identity in the UK.
A new governing body for the technology will be formed, called the Office for Digital Identities and Attributes (ODIA), and companies that are tasked with handling the personal information associated with the digital identities will need to apply for a new, to-be-created trustmark to show they have the adequate protections in place.
“The ODIA will have the power to issue an easily recognised trustmark to certified digital identity organisations, to prove they meet the security and privacy standards needed to handle people’s data in a safe and consistent way,” said the DCMS.
“The ODIA will ensure trust-marked organisations adhere to the highest standards of security and privacy.”
The DCMS said it will bring the legislation forward when parliamentary time allows it to. In order for it to be implemented into law, a legal gateway that allows organisations to securely carry out verification checks needs to be established and proper checks will need to be made to ensure the digital identities are legally equal to physical documents.
Such digital identities will be accessible via mobile apps and websites, and are thought to help tackle the “record high” levels of fraud in the UK with an estimated 5 million cases in the year ending September 2021, the DCMS said.
Centralised vs decentralised identities
The proposed rollout will operate on a centralised model - it will see designated third-party organisations manage the digital identities of many people in the UK. This goes against the model suggested by Microsoft, which also published its views on the topic of digital identities on Thursday.
RELATED RESOURCE
Multi-factor authentication deployment guide
A complete guide to selecting and deploying your MFA authentication guide
Microsoft said simply digitising a physical document like a driving licence and using it as a like-for-like replacement allows companies to see more information than perhaps may be necessary. Instead, it proposed a decentralised model which sees the individual own their identity fully and also the power to reveal or revoke parts of the digital document as needed.
“With decentralisation, you can prove the person is the genuine owner of the real-world identity by verifying their digital signed credentials,” it said. “Individuals can use a secure, encrypted wallet to store their identity data and easily control access to it.
“A decentralised identity could replace the need for usernames and passwords altogether and work with other forms of authentication to provide the required level of attestation.”
Government’s competence in question
The UK government has attempted to implement a secure digital verification for a number of years, most notably culminating in the widely admonished Verify project.
Verify was introduced in 2013 by the Government Digital Service and was slammed by the likes of the National Audit Office and internal Parliamentary committees for missing every one of its targets and “failing the public”, three years after its advent.
A panel of experts, assembled in 2020 to debate a techUK report on digital identification, called the government’s call for evidence “vague” and branded its response to the topic as “woeful”.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Lacklustre leadership from DCMS delays UK-wide biometric identity platform rolloutNews For years the UK government has longed for a fully functional digital identity system, but it isn't helping those who are crying out to build it
-
Thoma Bravo's $2.3bn ForgeRock acquisition brings 2022 cyber investment to $12bnNews The firm will have spent big on three different digital identity access management companies in the last year, in addition to significant industry investments since 2019
-
Thoma Bravo adds Ping Identity to growing cyber security portfolio in $2.8 billion acquisitionNews The intelligent identity company joins Proofpoint and Sophos, among others, as it looks to accelerate its cloud transformation
-
Thales acquires OneWelcome to boost identity and data privacy managementNews The company is set to buy OneWelcome for €100 million (£84 million) and use its offerings to give users greater control of their data
-
CIAM buyer’s guideWhitepaper Finding the right CIAM solution to capture & retain customers, fuel business growth and keep customers safe
-
The hybrid work maturity frameworkWhitepaper Your roadmap to trusted flexible working
-
Thoma Bravo acquires SailPoint for $6.9 billionNews Following the acquisition, SailPoint will no longer be listed on any public market
-
SentinelOne to acquire Attivo Networks for $617 millionNews The deal will broaden SentinelOne's access to extended detection and response technology
