Gov.UK Verify identity management system riddled with 'severe privacy and security problems', warn UCL academics

And the US Federal Cloud Credential Exchange isn't any better

The government's e-identity system, Gov.UK Verify, is riddled with "severe privacy and security problems", including a flaw in its architecture that could facilitate mass surveillance.

That is according to a paper by a trio of academics at University College London, which examined both Gov.UK Verify and the US Federal Cloud Credential Exchange (FCCX) and found them both to be highly flawed.

"Both systems propose a brokered identification architecture, where an online central hub mediates user authentications between identity providers and service providers. We show that both FCCX and Gov.UK Verify suffer from serious privacy and security shortcomings, fail to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy," claim the researchers.

"Notably, the hub can link interactions of the same user across different service providers and has visibility over private identifiable information of citizens. In case of malicious compromise it is also able to undetectably impersonate users," the paper continues.

"FCCX and Gov.UK Verify propose using a brokered identification scheme, where an online central hub actively mediates the communication and ensures interoperability between RPs [relying parties] and IDPs [identity providers]. The systems use standardised web back-end technologies, such as the SAML assertion language and the XML encryption and signature standards," explain the researchers.

The problems start from the "identity ecosystem" that both Gov.UK Verify and the FCCX are endeavouring to provide. Both schemes provide a hub that actively mediates the communications between different parties in the system.

"The privacy and security of FCCX and Gov.UK Verify rely on a fully honest and uncompromisable hub... we argue that a good solution should be resilient even when the hub is curious (about what it sees) and/or malicious (about the actions it takes)," they say.

"Regrettably, in both FCCX and GOV.UK Verify, the forensic capabilities of the hub as currently described could be abused and enable undetected mass surveillance," they add, listing shortcomings in both systems in terms of authenticity, unlinkability within a transaction, and traceability.

However, the researchers did make a number of practical suggestions for improvements that could be made to both systems to improve their security - although they added that both Gov.UK Verify and FCCX needed more independent public review before either could be considered fit for purpose, and criticised "incomplete" documentation of both systems.

Download the full technical paper here [PDF].