A government source quoted in the Times newspaper yesterday said that the new “Verify” scheme would “remove once and for all the need for identity cards because it will be possible to prove your identity securely without one”.
Now my understanding of how “Verify” works (via a choice of 5 private service providers) is that on completion of an online application one is provided with a user name and password which are used to get a code sent to one’s mobile phone. You can then access government services online using this code.
This sounds very similar to the online banking app I’ve been using for a while now from First Direct – and I’m sure that other banks have their own variations. The whole system depends on having a mobile phone and that device is in your possession. The fundamental “security” still needs a user name and password and the verification element is the code sent to the phone.
But what if:
the phone isn’t with you? Doesn’t happen to me a lot I grant you (it’s practically surgically attached) but I’m sure it happens to many people all the time.
the phone falls into the wrong hands? Well they’d still need the user name and password but these can be spoofed easily.
Your phone is hacked? I seem to recall that this has been in the news quite a lot recently. Messages can be hacked as well as voicemails.
I was going to add what if you don’t have a mobile (but even my 113 year-old grannie has one) or you were in a signal black-spot but the airtime providers assure us that 99.9% of the UK is covered (except for the vast tranches of the country I happen to drive through).
The fundamental point here is that this new government system for identity verification is flawed and can be by-passed by those who want to. The most accurate and foolproof method – biometrics such as fingerprints, DNA, iris recognition and so on – would be expensive to implement and potentially impractical to operate. However (and here’s the sales pitch folks), solutions do exist that can take pictures of people via the phone on their device (laptop, tablet, smart phone etc.) and compare them to those held on file.
You may consider this a bit “Big Brother-esque” but as the government already has your picture for your driving licence and passport – what’s the problem? Would you rather they verified you properly or relied on the old tried and trusted user name & password routine? I confidently predict a rash of stories in a few months about the insecurity of the new system.
Have a look at Presence Assure on this website and if you like it tell your friends and colleagues. It takes a lot to change the way we do things, but some of us have got to try.