honestlyreal

Icon

How the Government Gateway works

Caveat: this is not a technical description of how the Gateway works. Nor does it cover the behind-the-scenes services that the Gateway provides in terms of messaging and interoperation between various government systems. But it is my description of the way it works at the front end–the signing-on bit–of government services. Because that’s where it’s most apparent, and that’s the bit that’s often misunderstood. I wrote this because I haven’t been able to find such a description anywhere else on the Internet. Which is slightly odd (isn’t it?) given that the Gateway has been around for about ten years.

For a service that plays a part in millions of online public service transactions a year, the Government Gateway is surprisingly poorly understood, and described. What you can find online varies from the noble attempt (but not exactly functionally descriptive) to the flamboyant, to the technical, and on to the slightly bizarre.

But nothing in plain language that really sets out what’s going on. And, perhaps, what isn’t. I have something of a fascination around the mechanics of authorisation and authentication, particularly when applied to government services, so here goes.

You want to a use a service that has the gateway sign-on apparatus at its front-end. Like Income Tax Self-Assessment. So you go to HMRC’s Self-Assessment service and register as a new, Individual, user (as opposed to an Organisation, Agent or Pensions administrator). Very quickly you’re taken through a brief request for your name and a password, a few warnings about the seriousness of what you’re about to do and the type of documentation you’ll need with you later on, and behold: a big long formal 12-digit User ID pops up. 848355815693 is the one I just registered.

Shriek! Did I just put my Gateway User ID out there on the Internet? Why, yes I did. (We’ll come back to why that doesn’t matter in a moment.) HMRC are now asking me to continue through the process and ‘enrol’ in the service. But we’ll pause there for the moment.

The Government Gateway uses an approach called “Registration and Enrolment” (R&E). First you have to register for a User ID (we just did that). Then you have to enrol in the various services you want to use with it. Enrolment means you go through a process, specific to the service you’re trying to use, of giving proof of who you are and that you’re entitled to use the service. Leaving it up to the service to decide how much proof is needed is a really good thing, surely? No avalanche of information required to use a simple, low-value, low-risk service? We’ll see…

In theory, therefore, you can add more and more services to your ID, leading to what becomes a single sign-on for lots of services, using the same User ID and password. In theory.

The great genius of the Gateway R&E design is that it does the reverse of what you’d expect. Instead of trying to be all secure up front–insisting you prove entitlement and identity straight away–it wilfully ignores all that and gives you a wholly anonymous, “throwaway” ID number. You can go and get as many as you like. Try it yourself, now. Really, go and do it a few times. You can either do it via hmrc.gov.uk (just my little joke) or at the Gateway’s own site. They both work the same way.

It was once memorably described by a much cleverer colleague as “an insecure keyring to which you can attach secure keys”. (Great, until you need to find your keyring.)

The great folly of R&E is that it is utterly pointless, unsupportable, and ultimately valueless for normal people in real life. Have you spotted the gaping holes yet? Before we expose them in more detail, let’s quickly look at enrolment.

For HMRC self-assessment the enrolment process is the bit where you enter your Tax Reference Number and a few other bits of identifying information. And then you wait. For a PIN to arrive in the post. As a means of confirming you are who you say you are, before you can go any further. Not quite a seamless electronic transaction there, then. In the days leading up to Jan 31st the post seems to move very slowly indeed. And you might lose that 12-digit number in the meantime.

DVLA have a twist on the process: not for them the “give us a name and here’s your ID” approach. Oh no. They ask for lots of other qualifying information, name, address, Date of Birth, Passport Number, and—of course—money before they get to the bit where they spit out your new provisional driving licence. Not bad, really.

They’ve almost masked the presence of the Gateway entirely. There’s a question at the very beginning saying: “While applying, you’ll be issued with a Government Gateway user ID. If you already have a Government Gateway User ID, simply enter it with your password.” And if you haven’t, can’t remember it, or can’t be bothered—don’t fret, you can just get another one.

Getting a sinking feeling about the value of this User ID yet? (And actually, people will fret. They will spot this sort of “do I/don’t I need to…” ambiguity and it will delay or put off some people from using the service.) Doubt is something you really want to design out of online transactions.

So, behind the scenes, DVLA just went and generated you another Gateway User ID. One you’ll probably never need again, and one which carries no security risk, but isn’t necessarily anything to do with your other Gateway relationships. Unless you happened to have a previous one to hand when you applied. (I’d love to see some stats on how many do this, by the way.)

So, let’s look at what’s really bad about all this (and I stress again that I am talking about the user experience of the Gateway as a front end to transactions: Gateway R&E. Not about the back-end messaging standards which also form part of the Gateway suite of services):

1. Unsupportable. You can’t find your Gateway ID or password: what do you do? No point approaching the Government Gateway team—they don’t know who you are. They only recorded a name and password (which you might have lost). If you’re going to start resetting passwords and handing out IDs by email you need some better checks than that. They don’t have any information to check against. (And you’ve probably spawned several by now as you’ve been navigating through various online services. Which one have you lost?) So you approach HMRC, or whoever you need to deal with at the time. And they ask for your Tax Reference Number. Because your relationship is with them and that’s how they know you. The Gateway adds no value.

2. Take-up. Despite a bit of official posturing about it being government’s preferred online transaction authentication solution, and a few high-profile services which incorporate the front-end bit in some inconsistent way, most services routinely ignore it. Look at this service list: and this service has been operating for how many years, and has had how much spent on it? The Gateway is routinely ignored at the front end because it adds no value.

3. Lack of transparency or challenge. Try and find another piece like this on the internet that explains what’s going on and casts a critical eye over value. People seem remarkably reticent to discuss something that is a pretty big feature on the government technology landscape. If they do praise it, it looks like this, emphasising the benefits to service providers of using its protocols and messaging, but glossing over the broken stuff with phrases like “allows citizens to have one user ID and password”. Yes. In theory. Oh pur-lease.

4. It’s not Your Account for Government. It never can be. It’s designed not to be. This is a particularly pernicious failing. It raises expectations that it should, somehow, be a single connection point between citizen and state online. When it’s compromised, we panic. When it fails to add any value, we’re disappointed. We’ve been, effectively, duped into thinking some sort of useful, usable functionality has been added. It hasn’t.

5. It fundamentally misreads individual user behaviour online. People do share and lose their IDs and passwords. Putting in a wait for the postman does result in everything having to be redone, and in sapping user confidence in government’s online services. The situation is slightly better for businesses, and I will concede that for business-facing transactions (and for accountants, agents and other intermediaries), Gateway R&E probably does add some value. But there’s a hell of a difference between employing someone whose job it is to get these processes right, and providing services to individuals.

One can see why Gateway R&E had some attractions: ten years ago, when it started, there was massive political pressure to bring public services online. Earlier attempts to build a secure authentication framework across all services had foundered (and still do, see numerous other posts here on this). This half-way house created a way in which the press and public could be fed stuff like that BCS line above, and we public could be left to pick up the pieces of a miserable, broken, user experience.

A value-adding single sign-on experience can be yours. If only you don’t do stupid stuff like lose passwords, IDs, or a strange little card we send you, and if you can manage to navigate around the workarounds (like that DVLA “if you already have…” stuff) that we have to build into every service to make them actually get used.

Time for a few pointed questions and FOIs, I think. Because this is fundamentally difficult territory, I think it’s had a bit of an easy ride.

Category: Other

Tagged: , , , ,

125 Responses

  1. David W says:

    I was pushed for time, Paul and didn’t see the point of adding a further 10 (read 20!) minutes to the process!!!
    If only I knew what was to come….

  2. Gav says:

    This is really the only site that explains what the Gateway is about. I’m here because I’m finally getting round to learning to drive. I apply for a provisional. It asks for the ID, so being a programmer I’ve got it saved somewhere. I try to use it, fails. So I apply online only to be told they need some information (which that don’t specify) and it looks like I’m gonna have to fill in a paper form. What a waste of time.

  3. jan says:

    I just tried to provide DVLA with my existing Government Gateway ID – it let me log in. Then I had to go through their registration process and when I get to retrieving my licence record it cannot find my licence based on my driver number and address. It took me 20 minutes to find a working support contact form.

    The next day they replied and told me that the problem was I couldn’t use my existing government gateway ID and would have to create a new one. I am still waiting for a response as to how that ties in to the actual error I received.

  4. Peter Arnold says:

    I have entered my Government Gateway ID as per my HMRC account, but DVLA will not accept password. They reckon the HMRC ID is a business ID, but my tax return is a PERSONAL one!
    So after losing 45 minutes of my day I will fill in paper copy.

  5. Martin Palmer says:

    I’m trying to claim my pension. I’d previously (2011) got myself registered with the Gateway, and subsequently received the ‘Activation Code’ through the post, and used it. Now when I try to do the claim process, having successfully logged on with my User ID and Password, and then entering some other information (NI number, DOB etc) I’m informed I’ll be sent ANOTHER activation code, through the post, to allow me to proceed with the claim. WTF…?

  6. HMRC says to enter my Government Gateway ID and password, but doesn’t accept them. (even though they work just fine on gateway.gov.uk, and it even shows me as enrolled for Self assessment).

    The “best” thing was after I requested help they sent a form letter back which stated “if this email didnt help please reply below”.
    You know how long they gave me to do that reply before they closed the ticket? 3 minutes.
    3 minutes I had from receiving the email to them preventing me from replying.

  7. Nikos says:

    the site is a joke, password reset impossible because I can’t remember the secret questions.

  8. Spiros says:

    Hi
    This service in poorly architected. The people that designed this system have no idea what a unique account is, what decent UX means and how to create online services. The government needs to scrap this current mess. Every person in support also has a different answer as to why my previous years accounts are in a different account that cannot be accessed. Unfortunately post is the only answer until the government completely restructures the current account hierarchy and uses unique identifiers.
    Absolutely horrible experience. If private enterprise had launched this type of a service for a customer, there would be serious repercussions.
    Spir os

  9. This site is a joke. I couldn’t register for a SA on it so called online services. She took me to another website I hadn’t even heard of – no link at all to Gov Gateway and said to use this website as the other one (for the public) is too complicated. 3 days wasted trying to register for a SA.

  10. georgie says:

    A total joke! To tell you your user name/number they need your password, and to reset your password they need your user name/number. I don’t even remember now which email address I used to register 10 years ago. A commercial organization would have lost most of their customers by now.

  11. Andrea says:

    Hi there.. I registered on gateway last month for the first time as a self employed, to receive a letter with activation code as organisation ?!?I am confused, can I still fill my tax return on that account , just a bit worried as I am running out of time for online self assessment. Thx

  12. Matthew Hall says:

    This Gateway thing is a farce. I’m trying to claim my pension. They sent me an activation code but I cannot find where to use that, instead I’m asked for my Gateway ID and password. I think I had one 5 or more years ago but there’s no way of getting that re-sent. If I re-register as you suggest here it says I already have registered and what’s my user ID?
    So it’s off to print and fill in the paper form which helpfully doesn’t tell me where to send it, so now I need to phone them to get them to send me an envelope for the paper form.
    Just wasted hours over 2 days.
    Oh! and they wrote to me initially telling me to claim my pension so they obviously already have most of my details.

  13. Karl says:

    absolutely appaled by this system. Got a user ID and password and have gine through getting an activation code via my phone, but no that not enough! (seems perfectly ok for my bank with 250K of my mone). No when you have to GIVE them money they make it nigh in impossible to F~ing tell them how much. The fine you if you dont. After inputting ID / Password / activation code (all correct) they wanted me to answer 6 – yes 6 questions from my credit file. Most of it I dont remember – so back to square one but your locked out for 24 hours. Absolutely terrible, why they need this amount of information is just beyond me!

  14. Anne Greene says:

    In Sept 2016 I got an email to get a new ID for Governement Gateway, did this, then in December 16 when I tried to access the site was informed that my User ID/Password were not recognised. After spending days and hours trying to speak to someone was informed that the new ID I had setup in September was not connected to my Account and that the old ID I had set up 10 years ago was the proper one. Neither the person I was speaking to nor could get on using either ID’s. I am left now with not been able to access the sites with anything. I do not know what to do.

  15. Steve Groves says:

    This site looks and feels like a 1990s website. Let’s face it, anything run by the government is bad news. Remember their slogan ‘digital by default’, should be ‘dodgy by default’

  16. may bowman says:

    If they give you questions from your credit file and you don’t know the answers what are you supposed to do? Apart from chase your own tail! Nobody seems to be able to tell you what to do when you phone up. Five days in and I’m no nearer getting it right, in fact I’m guessing just like a fraudster would. All I want to do is my self assessment and time is running out. Anyone know the solution?

  17. Rodger Ashwell says:

    Just gave up trying to register (You’re already registered-go to log in. Log in says to register. Bah! Back to the postman. More life wasted.

  18. John says:

    Really accurate report, tried to activate my state pension on line, on the basis of my experience it is probably a government attempt to get us new 65 year olds to pass away before we can claim through this system. Having worked in I.T. for most of my life this system made me doubt my abilities, not to mention my sanity. Can’t we get Nigel Farage to start a political party to sort this out

  19. Paul says:

    Not all that sure the views of a tired old racist who can’t win an election will do much sorting out tbh

  20. c says:

    I cant believe what the GG is putting me through – my taxes are a mess because of it. No one cares. I will be fined for not being able to use a rubbish system.

  21. louise Evans says:

    Ive received an email from Inland rev stating that they owe me £200. Last year they told me this would be automatically sent in the post if i didn;t register. I tried, gave up, and nothing arrived in the post. When i try to register there isn;t an option for tax rebate…so i don;t get past beginning. Anyone any ideas?

  22. […] half revealed online. There is also a separate user ID. All a bit cumbersome. Citizen blogger Paul Clarke neatly sums it up as being, “not quite a seamless electronic transaction”. Nowadays anything […]

  23. will says:

    registration for HMRC went ok until credit ref agency check
    failed to id me, please anyone what can I do because
    no interactive contact possible from helpdesk.

  24. will says:

    registration ok until credit ref agency check ID failed please anyone what can I do because no interactive help from helpdesk.

  25. Austin says:

    Good blog. I was suprised to find the GG seems to need a re-register basically every time I use it! Basically almost useless…

Leave a Reply

Flickr Photos

_PX45325

_PX45324

_PX45315

_PX45309

_PX45308

Uncle G

_PX45268

_PX45267

_PX45257

_PX45256

More Photos