HMRC confirms plans to develop its own authentication service rather than use Gov.UK Verify
New ID scheme will need to be in place before Government Gateway closes next year
Her Majesty's Revenue and Customs (HMRC) has confirmed widely held suspicions that it will eschew the Government Digital Service's (GDS) Gov.UK Verify authentication service and implement its own alternative.
It comes as the HMRC gears up to make the transition from the Government Gateway IT infrastructure that it has used to provide services to taxpayers. However, the Government Gateway is scheduled to close next year, forcing departments across government to re-think their strategies.
"There is much the current Government Gateway service does well and we'll be looking to take forward into a new solution. But we also know we can provide a more agile, flexible and secure set of services, and at lower cost," wrote Mike Howes-Roberts, HMRC programme director responsible for transforming Government Gateway, in a blog post.
For Howes-Roberts, that means replacing 53 of the 123 services that the Government Gateway currently supports - in something like a year.
"In addition, we're exploring options around other government departments also using this replacement service. This would be restricted to business and agent-facing services only as Cabinet Office requires all other departments to use Gov.UK Verify: the cross-government service for any citizen-facing services where customers need to prove their identity," he added.
In other words, HMRC is pressing ahead with its own authentication service, with the blessing of government, to provide the kind of authentication capabilities that Gov.UK Verify is unable to provide.
Other departments across government will adopt the GDS's much maligned Gov.UK Verify service to authenticate users and, effectively, to provide a single identity to users of services across the public sector.
But Gov.UK Verify has been riddled with problems. Integrated by Defra into the Department for Environment, Food & Rural Affairs rural support scheme in 2014, for example, users complained that the had been unable to register with Experian, the credit ratings agency that, at the time, was the only company certified to confirm users' identity.
That was before it was even formally launched. A year later, it was slammed by security experts, who described it as riddle with "severe privacy and security problems", including a flaw in its architecture that could facilitate mass surveillance.
It finally launched properly only last year after long delays, to warnings from campaigners that it was unnecessary, limited and potentially insecure.
In addition to avoiding problems like these, another key problem with Verify as far as HMRC is concerned is that third parties cannot legitimately use it on behalf of clients. So, for example, an accountant couldn't legitimate file VAT or tax returns for a client for HMRC for a client.
"With Gov.UK Verify, you can only register individuals - you can't register companies, partnerships, trusts, sports associations and all of the other types of legal 'person' that the Government Gateway can handle," said campaigner David Moss, when Gov.UK Verify was formally launched.