“What makes OneID trustworthy? And what about privacy – if I give OneID access to my bank account, won’t they see my transaction history or other financial information?” These are two of the many questions I receive when I say OneID® uses bank data to verify an individual’s identity.
In this blog, I’m focussing on the work we’ve put into building a trust network and the work that goes into ensuring what should be private remains private. I’m Stuart Kempster, Chief Product Officer at OneID®, and this is part 2 of ‘What’s under the OneID® bonnet?’
Actively and collectively developing the UK identity trust network
The establishment of the UK’s identity verification ecosystem has required government, industry bodies, participantsand regulators to design a comprehensive set of standards, guidance, and protocols to create workable digital verification services. We’ve always thought it important to support this and have been an active participant in its formulation.
Trust is an often used term in the identity industry, but trust needs to be earned rather than self-declared. As an identity provider, we have invested heavily in gaining regulatory permissions for Open Banking from the FCA and certifications under the Department for Science Innovation and Technology’s (DSIT) Digital Identity and Attributes Trust Framework (DIATF), which references the UK government standard ‘Good Practice Guide’ GPG45 (‘How to prove and verify someone's identity’ and GPG44 (‘Using authenticators to protect an online service’). All are required to have the right to operate as an identity service provider.
Certified by the UK Government
Under DSIT’s framework, we are certified as an Identity Service Provider – this is the role that proves that a person is who they say they are by connecting the ID evidence to the person and an Orchestration Service provider – this role is a ‘data broker’ that securely moves data between other parties – providing one place for all the identity data that you need.
This government certification allows us to provide a range of identity services, such as identity verification, employee screening (Disclosure and Barring Service, Right to Work), Right to Rent checks, Anti-Money Laundering checks and age verification under the Age Check Certification Scheme + Primary Authority.
Protecting privacy by using open standards
We use global open standards to connect to the banks to collect and share identity data with the user's consent; Open ID Connect (OIDC) provides the protocols for sharing ID data and is the basis of the Financial APIs (FAPI) security layer of Open Banking.
Following the protocols defined in OIDC, OneID® and the banks exchange authorisation codes and access tokens, which allows access to the requested data fields. In turn, OneID® completes a similar process with the third party that you may want to share your data with. We don’t see your data, and we don’t store your data. Your data is just forwarded with your consent to access a service online.
We also offer an extension to OIDC, known as OIDC for Identity Assurance (OIDC IDA), that defines how metadata can be shared with the actual ID data. The metadata can give details of what processes and checks that were done on the data and the validation process that has been followed. Sharing this data forward gives additional assurance on the ID data.
Greater interoperability with different ID wallets and markets
There are new technical stacks and protocols emerging in the identity industry, based on W3C standards known as Verifiable Credentials (VCs). OneID® has incorporated this technology into our data sources and our outputs to ensure interoperability with different ID wallets and markets.
The EU, for instance, is adopting VC technology as part of its ID legislation (‘eIDAS2’), so we can enable cross-border data sharing between the EU and the UK using identity data stored within these data constructs.
Because we source ID data from banks, we also use ‘Strong Customer Authentication’—technology that the banks provide as ‘authenticators’— which are derived from ‘something you have, something you know, something you are’. The rules of SCA are consistently applied across all banks and enforced by the FCA.
At OneID®, as digital identity experts, we are proud of our involvement in creating the UK DIATF and are passionate about using Open Standards to both secure and protect an individual’s right to privacy. OneID® will continue to develop and adopt new technologies to ensure that everyone in the UK can safely participate in the country’s Digital Economy and continue to earn the right to be trusted.
