The government insists it will meet its 2016 deadline for all digital services to be underpinned by its gaffe-prone identity assurance system, GOV.UK Verify – despite having failed to move off the increasingly vulnerable Gateway system.
By March 2016 the Government Digital Service intends all departments to have integrated Verify with their digital public services. At this point, the government plans to stop using the decade-old Gateway system for citizen identity assurance.
In 2011 the National Audit Office identified an "urgent need" to find a better alternative to the Gateway.
"The Government Gateway provides only limited levels of identity assurance and, without further investment, its weaknesses will be increasingly exposed and under attack. Extending the Gateway’s life will delay the delivery of the digital by default agenda which needs higher levels of identity assurance," said the NAO.
But this year the department for Work and Pensions, which is responsible for the Gateway, spent £24m renewing the Gateway contract until 2016, according to its latest transparency data. Sources have told El Reg the retirement date has now been extended to 2018.
Verify aims to take a "federated" apporoach to identity assurance, with the public able to choose which private sector provider they want to use.
Until last week Experian was the only certified company providing GOV.UK's Verify system. Now Dutch identity company Digidentity has won certification.
However, it is unclear how the government intends to migrate the current 11 million Gateway users onto Verify – let alone how it will move high volume transactions that route direct to Gateway, such as PAYE forms and VAT.
Dates for when the majority of government services are expected to start using Verify have yet to be confirmed.
Concerns have also been raised as to whether citizens will want to authenticate themselves through suppliers such as Experian rather than directly through government.
The Gateway was developed in 2001 and took 90 days to implement. In addition to identity authentication Gateway also acts as a transaction engine that connects a number of frontend services to backend systems.
To date Verify has taken four years, is two years late and has so far struggled to get off the ground.
The Cabinet Office told El Reg there is no delay to its 2016 target. A spokesman from the DWP said the department will transition from Gateway by 2016. However, it is not clear at this stage when the "transition" will be complete. ®