1. Introduction and overview
We've been certified as a trusted Identity Provider as part of the government's GOV.UK Verify initiative – a new way for UK citizens and residents to prove who they are online, so that they can use government services safely.
Barclays Identity Service (BIS) is available with government departments as part of GOV.UK Verify.
Barclays Identity Service enables:
- All UK citizens and residents over 18 to create their digital identity online in simple steps
- Users to assert their identities for use with government services
- Strong authentication model with periodic validations to protect individual identities against fraud by using most up-to-date information
BIS has been designed and built to meet government standards, which are detailed in Good Practice Guides 44 (authentication) and 45 (Identity Proofing of an Individual) as well as other relevant industry documents. Further information can be found here.
Further information about GOV.UK Verify can be found GOV.UK Verify.
Information about Barclays Identity Service.
2. Service components
2.1. Key service components
GOV.UK Verify is new way to log in to online government services. GOV.UK is the digital home of all government services, which supports a number of online services, eg online self-assessment, company car tax, and claim a tax refund. Users are required to register for digital identities via GOV.UK. Once registered, customers will be able to assert their identity on GOV.UK using BIS sign in credentials.
A customer is required to authenticate themselves when they want to access their identity profile – this is in order to use a government service or to make changes to their profile information. For authentication, a customer will be required to provide a username and password, plus a one-time passcode sent to the mobile number registered to their identity profile.
Identity proofing and verification
This is the core application that's used to prove and validate an individual’s claimed identity.
This is the central data storage for all registered identity credentials.
Customer profile maintenance
This service enables customers to keep their credentials up to date – to ensure that the correct details are available and to protect against potential fraud.
Barclays Identity Service helpdesk
BIS is designed as a digital service where customers will be provided with end-to-end assistance via online FAQs and web chat. If customers have queries or issues which are not resolved via FAQs or web chat they'll be able to contact the BIS telephone helpdesk.
3. User credentials and security
3.1 Registration and identity proofing
An individual wishing to access a government service, such as completing a tax return or checking their driving licence, will be asked to verify their identity from a panel of certified companies. When they choose Barclays as their Identity Provider, they will be transferred to the Barclays Identity Service.
The service is entirely online and the checks are automated. It takes roughly 10 minutes to complete the registration process.
Step 1 A customer new to BIS will set up their digital identity profile by creating a username and password. They'll need an email address and a mobile phone number in hand to complete the registration process.
Step 2 They'll then be asked to provide name, address and date of birth information – including previous details if required. BIS will then require a customer to provide their passport, driving licence and UK bank account details. These details will be verified with HMPO and DVLA via the evidence checking service and Equifax – a credit reference agency.
Step 3 As a final step in identity assurance, the customer will be asked questions that only they should know the answer to, based on their credit history. Their answers will be checked to help verify their identity.
Once the identity check is complete, they'll be returned to the government service they were using. For subsequent use, they can go to any online government service with the GOV.UK Verify logo and sign in with their new Barclays Identity Service profile credential.
In accordance with Good Practice Guide 45 (Identity Proofing and Verification of an Individual), BIS issues credentials to customers that at least meet the requirements at Level of Assurance 2.
3.2 Customer authentication
At the time of registration, customers will be required to set up a unique username, password and memorable word of their choice. The password has high standards in accordance with Good Practice Guide 44 (Point 17, table 7) and is disabled after repeated failed attempts. Users are also required to verify their email and mobile at the start of the registration process using One Time Passcode (OTP).
A customer is required to authenticate themselves when they want to access their identity profile in order to use a government service, or to make changes to their profile information. BIS will ask the customer to provide the username and password that is related to their identity profile. Following this customer will be sent a one-time passcode to their registered mobile number. The one-time passcode has an expiry of 5 minutes from the time it is sent out. On providing correct passcode to authentication service, the customer is allowed access to their identity profile.
In the event that a customer has forgotten their credentials, then – depending on the circumstance – BIS will take the customer through to a credential recovery process, using the informing we have on their identity profile.
3.3 Credential validity and revalidation
Identity credentials are valid and available subject to successful proofing and verification. Credentials are verified periodically to ensure that the most up to date information is used for credential revalidation. Periodic validation is in accordance with the requirements defined in GPG45. User identities where credentials could not be successfully verified are marked as failed.
User credentials will not be available where:
- User credentials provided during registration do not pass validation checks
- User credential fails periodic validations
- Identity profile is suspended or revoked due to inappropriate usage until required investigation is completed
- Identity profile is marked as dormant due to inactivity for more than 24 months. Dormant profile is then deleted following further user inactivity for next 12 months. In this case users will be required to re-register to Barclays Identity Service
- User chose to delete their identity profile and no request is received to cancel the delete instruction within 28 days
3.4 Customer profile maintenance
Barclays encourages BIS customers to keep their credentials up to date to avoid identity fraud.
Using the online Profile Maintenance service, customers can update their personal details, contact details and profile settings including ability to delete their identity profile at any time.
3.5 Security and fraud prevention
3.5.1 Fraud prevention
Several controls are built within BIS to protect all sensitive data from fraudsters. A combination of controls and processes are deployed to detect and mitigate fraud attempts.
Barclays networks are available 24 hours a day, 7 days a week, and equipped with multiple layers of security. The network is constantly monitored to identify any potential threats. A number of effective tools and controls are deployed to protect all communication against internal and external threats. Periodic reviews are performed to mitigate any risk arising due to ever changing nature of threats.
3.7 Data protection
Comprehensive data protection techniques, controls and processes are deployed to protect sensitive data.
3.8 Data management
Customer credentials are held in securely managed environments. Any data specific to identity proofing and verification is stored in a separate environment from the rest of Barclays' data. Access to BIS data is only permitted to approved teams and individuals.
Identity profile data is archived for 7 years once deleted.
Customer credentials are not disclosed to any individual or organisation other than Government Digital Services without a legitimate request authorised from a court of law.
Customer’s credentials and assertion data comprising of name, date of birth and address is exchanged with the government using G-SAML. Customer Profile Maintenance is over https.
Barclays Identity Service is covered by ISO27001 Certificate/Licence number: IS539200
3.12 Help and support
Barclays will provide different levels of support to allow its users to perform functions related to Barclays Identity Assurance service.
BIS customers will be offered self-service functions to handle situations like forgotten password, lost/stolen phone, change of email, change of personal details.
A dedicated FAQ and help section will guide BIS customers through the process and will be available in English and Welsh.
Further support will be available through online Web chat and Telephone channel, the details of which will be made available on the Barclays Identity Service website.
For more specialist support, Barclays Identity Service telephony team and Business operations will provide dedicated support on specific scenarios like Complaints, Identity Repair, Data Privacy Request, Account Closure, Incidents, breaches etc.
More information is available on following links:
Terms & Conditions: http://www.barclays.co.uk/identity/termsandconditions
Contact Us: 0333 202 7479. Lines are open Monday - Friday 8am to 10pm, and Saturday and Sunday 8am - 5pm
4. Service availability and disaster recovery
Barclays Identity Service is available 24/7, 365 days a year and is only accessible via GOV.UK Verify. The service is monitored 24/7 to ensure availability, performance, component failure detection and protection against security breaches.
Barclays operates multiple UK based data centres and Disaster Recovery sites to enable smooth operations against disasters.