Why build a product people won't or can't use? Our user researchers share their approach to understanding needs for government’s single sign-on.

---------

The transcript of the episode follows:

Vanessa Schneider: Hello and welcome to the Government Digital Service podcast. My name is Vanessa Schneider and I am Senior Channels and Community Manager at GDS. In August, we recorded an episode on digital identity and single sign-on as part of our plans to develop one inclusive and accessible way for people to log in to all government services online. You heard from Will and Helena from GDS, as well as Tom from Veterans UK, who shared how we worked with other parts of government to shape this work. Since then, we passed the digital identity service assessment, integrated our authentication component with the first service, and completed research with more than 800 end users. And it's that research that we want to talk about today. Joining me in this are Lauren Gorton and Charlotte Crossland, both user researchers at GDS in the Digital Identity Programme. Lauren, could you please kick us off by introducing yourself and what you do?

Lauren Gorton: So I'm Lauren. I'm a user researcher on the digital identity programme in GDS, and specifically I work in the authentication team. We look at the credentials that people use as part of the single sign-on. And the first steps of our journey went live in October. So specifically, I focus on the end user aspect of that and focus on the citizen side.

Vanessa Schneider: Fantastic, thanks. Charlotte, could you please introduce yourself and what you do as well?

Charlotte Crossland: Absolutely. Hi, everyone. I'm Charlotte, I'm a user researcher on the digital identity programme, working in the design for adoption team. We've been doing a lot of research with service teams across government. We're building an authentication onboarding journey, as well as looking at identity materials that teams can use to make decisions.

Vanessa Schneider: Fantastic, thank you so much, both. So, not everyone will have listened to the previous podcast episode or read the blog posts that we've written about this work. Would one of you mind explaining a bit more about One Login for Government?

Lauren Gorton: Yes, so One Login for Government is one of the government's major projects at the moment. On GOV.UK there, there are several different sign-ins at the moment, and many different routes users could take. So what we're trying to do is streamline that down, so that in the future, there'll just be one single sign-on for GOV.UK to help improve the journeys for users and reduce confusion for people. That then opens the door to do lots of other cool things in the account space, so that people aren't having to repeat themselves too often in different services, and it helps government to basically join up a bit better.

Vanessa Schneider: Great stuff. I can see the importance in that [laughs]. Obviously, this is a loaded question to ask, given both your roles as user researchers. But I was wondering why is user research so integral to that?

Lauren Gorton: So there's no point in building something if people won't or can't use it. And the only way we know if we're on the right track is if we actually speak to the people who are the intended users. That's probably important for any organisation or business, but it's especially important in the context of government, given how important government services are if people can't access them, that can have a huge impact on people's lives. So we can't really afford to build something which people either can't use or won't use. [For] the citizen side of the research, our approach is to gather insights at all stages of the projects and from as representative a sample of people as possible. One thing is that we're not reinventing the wheel. There have been other government projects that have come before us who've done work on sign-on services. So there's a lot of existing research and insights that we can sort of learn from as a first step. So we, we initially did some very extensive desk research, including research artefacts from Verify, Government Gateway, recent COVID[-19, coronavirus] projects, and, you know, getting lessons learnt from peers in the NHS, who are working on the NHS login at the moment as well. So it's kind of given us a running start, really, to see what worked well before us and what didn't work so well. And we then built on top of that with our own research. So for a variety of different techniques, things like doing interviews with people and conducting surveys, testing our journeys as we develop them and iterating them. And since May, despite the impacts of COVID and issues that we had with research - we obviously haven't been able to go out and actually talk to people face-to-face, we've had to adjust how we work and do everything remotely - but despite that, yeah, we've managed to speak to over 800 end users, as you mentioned, since May. On top of that, it is really important to call out that once something's live, it's not live and then done, so now that we're live with the first steps of authentication, we've also got thousands of users who are now going through the live service and we're getting insights from those people as well. So relying a lot on our feedback form and also the analytics that runs for our service to better understand, "OK, so these are real people, using it in a real-life scenario: how is it working for them, and working, we keep improving it." So it's kind of that balance of we're doing a lot of the research with people to help prep them, optimise before we go live. And then as it's live, we're still monitoring it and trying to improve.

Vanessa Schneider: Well, there's a lot of work going into it, I can see, and it's really heartening to hear that you're taking on the lessons from the past. And actually, that probably relates to the work that we're doing with other departments because they have existing identity solutions, don't they, Charlotte?

Charlotte Crossland: Yeah, absolutely. So our approach from gathering insights from service teams in government has been a bit different from doing research with end users - it's a bit of a different dynamic. The real key to this is collaboration. So like other government platform products our users are peers working across government. I've been working with a range of roles, from product people to service owners, researchers, designers, developers, even data [analysts], both across central and local government. And it's been really fundamental to tap into, again, the existing work that's there; digital identity is a well-trodden area across government. It's a fundamental, it's been creating a space of trust and being as open as possible with teams and departments. It's important that we take aspects of that into our approach, not only internally within the programme, but taking that approach externally across government. Yeah, if the whole team is supporting and involved in that session, we have the capabilities and materials to produce really rich, UR [user research], building up that trust and developing relationships is far more important because they're the teams that are building and developing the services themselves in their everyday lives.

Vanessa Schneider: Obviously service teams will have also conducted user research for their services with end users. How did that integrate into sort of your knowledge base?

Lauren Gorton: Yes, so that was a part of the desk research that we did, kind of, in Discovery Alpha. We went through hundreds of different documents to, to try and understand that. But, as well, we've also since had sessions with teams so, the basic digital service, so they have a really good component for certain aspects of the authentication journey. So we're trying to make sure, again, we're not reinventing the wheel. So if things have worked for, for their end users, it's going to work for [our] end users as well. So we've been, we've met with them, tried to understand the component, looked at some of the data behind it and have applied that, aspects of that, to our own journeys as well.

Vanessa Schneider: Neat, and obviously, this could be really interesting for folks, depending on how long we're going to be in these unprecedented times or with the future of work being maybe more remote working: How was it conducting user research while maybe not having direct access to people?

Lauren Gorton: Good question. So, yeah, that's, that's been difficult. I think it was definitely for user researchers, just in general. It's hard if, you know, you're not in the room with them. And something that user research just needs well to do is to have, like, a good rapport with the participants. And it can be hard to try and build that up remotely and so, you know, reassure people and calm them down remotely over a video call. So, yeah, there are different frustrations to it, particularly if someone runs into an issue in the middle of a session. We can see the screen and what they're doing. But if they go onto a different device because they want to search something on the mobile phone, we can't see what they're doing and we can't help them, so that's caused challenges as well. So it's been a big challenge for communication, I think. But there are, there are positives to it as well. It's quite nice to have a video call with someone, they dial in, you run the session, if it goes well, and then you can just dial off, that's the session done. You can go, go grab a coffee, [laughs] to then try and absorb what you've just learnt. So yeah, there are nice things to it as well.

Charlotte Crossland: Yeah, definitely echo Lauren's point around that interaction, and no matter who you're researching with, whether it's citizens or service teams. It's really difficult to get that rapport up online compared to in-person, where you can read people's body language, their tone, it's a very different dynamic. And I think what's I've learnt the most about doing research with service teams is that they are our peers and, as we've mentioned before, digital identity is a well-trodden area, and it's about collaboration as much as it is user research with those power dynamics that are often associated with it. I think as well, on the analysis side, so we're really fortunate to have tools that really help bridge those gaps from doing analysis in-person to remote ways. They've yeah, they've been so valuable.

Lauren Gorton: Charlotte's raised a really good point there as well, which I totally missed, but afterwards with our colleagues when we're trying to, like, go through what we've learnt in the session. That's been super hard as well because we're not all just sat around the table together with notes and writing on a whiteboard. So yeah, that's been a real struggle as well.

Vanessa Schneider: I think that a lot of listeners can relate to the difficulties that you face, the challenges that have presented themselves. But it is nice to know that there are some things that have helped or some things that are manageable at least, despite the circumstances. So that's really encouraging. So it's great to see that we've got these partnerships going with other departments. How do these partnerships come about and why is that so important to us?

Charlotte Crossland: Great question. So we're collaborating at multiple levels in government departments, so recently colleagues have kicked off strategic department-level work with the big departments and these will continue to be expanded on. We're also working directly with services at service team-level, as well as clusters of services, to give us a really wide and deep view of requirements. So we've been building on from the robust thinking that– of digital identity that already exists within government. The collaboration has shaped the programme thinking, so the development of the roadmap, the functionality requirements, to prioritise in specific work, such as exploring low levels of confidence, which our team is currently looking at. So, as mentioned before, in the previous Digital Identity podcast, as well as collaborating externally, we need to reflect internally and learn from Verify. So to do this, we're ensuring inclusivity is at the core of what we're doing. We're not using third-party or private sector identity providers to verify users' identity. We're not taking a one-size-fits-all approach. We're designing for the needs of service teams, so doing research with service teams has really sought to address these last two points. I think one of the key collaborations, for example, the one with DfE [Department for Education] has come about through one of our key findings, actually, so this is around cluster services. So end users of cluster services are likely to see the benefits of a reusable set of credentials more readily as they're able to use the same authentication username and password to access them. So we've spotted clusters in well-known departments like HMRC [HM Revenue & Customs] or the Home Office initially, but we've also found clusters in all sorts of places across government. So users of Companies House, [HM] Land Registry, farmers using Defra [Department for Environment, Food and Rural Affairs] services, drivers using DVLA [Driver and Vehicle Licensing Agency] services, as well as teachers or students using DfE services.

Lauren Gorton: Yes, so with our end user research, we've always been researching around the single sign-on and how that benefits our users. The single sign-on is the solution that we feel best helps to meet other user needs we found in research. But to do so in a way that also meets people's expectations and fits mental models as to how people look at government. So in terms of user needs, like, at its simplest level, our users need to be able to access government services, they come to GOV.UK with a task in mind, and that's kind of what they care about doing [laughs] and all they care about doing. They need to be able to do that without having to understand all the complexities of government and have to try to unpick that. So a user shouldn't have to land on the GOV.UK home page and say, "OK, today I'm trying to do this task. This service owns that task. This service sits in this department and that department uses this sign-in. So I need to go over there and specifically it's these credentials I have to use if I can remember what that-- what those credentials are". So, you know, users shouldn't have to do that. And it's not just the case, you shouldn't have to do it, but it also doesn't fit into how they look at government. So we found in our research, and this is general, because mental models, are general, not everyone thinks this way, but a lot of people, sort of, look at government and they see it as a single entity. We talk about "the" government and, you know, that, that's how people see it. They don't think about all the complexities behind it. And as part of that, we have heard people in research sessions and participants saying, you know, "I expect to just have the one account because I'm dealing with the government. I need a government account to talk to the government". So that's what we've, sort of, had coming out of our research sessions. And whilst we've heard that in research sessions prior to going live, again, since going live, we've also seen some data that also supports this too. So for instance, we have our feedback form, which people using the live service can come to. One of our most common themes in our feedback form is one we call "queries outside of our scope". And that's just basically for anything that's actually to do with a different service. So what we are seeing is a lot of people hitting our journey, going into our feedback forms, and they're leaving this feedback about different services or they're saying, "I can't sign in" and, you know, when we go back to them, we unpick it, it's because they're trying to sign in into, like, a Gateway or a Verify [account], because they want to do something with their tax, for instance, they've, they've come to us in error. So we are seeing in live that this confusion is a problem. It's the same with our analytics as well. We're seeing people coming to our journey, trying to sign in and having to go down those unhappy path routes because they're confused about whether or not they do have an account. And it's one of those things from a user perspective, that so long as there are multiple accounts out there, that confusion will exist to an extent. There's only so much we can do with research and design. So the more services we get onboarded and the more we reduce the number of sign ins, it's kind of the only way to really completely get rid of that confusion for people.

Charlotte Crossland: Definitely, teams that have Sign-in already have seen account confusion from end users, it's a very well-known problem. I think, similarly to Lauren's point around service teams, so authentication and digital identity isn't a straightforward team need. So teams often integrate with identity as part of bigger changes and plans they're going through within their delivery cycle, but related to that. So checking people's identity documents is a really onerous process for service teams and government. It's really costly. Identity checks might not be up to scratch, so ultimately online identity checks could save teams a lot of time and money. It's also important to add to that, the offline routes will always be fundamental, so users and service teams will always need offline routes.

Vanessa Schneider: Yeah, definitely important to stress we're not taking anything away from folks. We're just trying to make it easier. We're trying to make it, one, single safe, reliable, fast and effective way for everyone to log in to government services online. That's the mission. So earlier you mentioned trust, and then you also talked about how our new solution isn't going to use third-party providers to verify people's identities. Is that linked?

Charlotte Crossland: Yeah, so on the identity side, our research has been really addressing exploring service team mental models around digital identity. So really digging into how teams feel and talk about identity, understanding the types of language that they use. Equally, we've been understanding how services decide on the level of confidence of an identity check. So who's involved in that decision-making process? What are the roles and teams in the department that are integral to this? And I think there's a really interesting design challenge of how we can effectively communicate how teams go about choosing an appropriate level of confidence that maps back to GPG 45, or the Good Practice Guide. There's a lot of evidence that shows GPG 45 doesn't equip teams to understand what identity profile or level of confidence is most appropriate. The guidance doesn't explain how this choice will affect a services' end user journey. That wasn't the aim of the guidance, but equally, the level of confidence the service chooses should be informed by the service's risk appetite.

Vanessa Schneider: You did talk about your research reveals there are clusters, for instance, in different departments. Are we working with all of them? If not, why should departments be working with us?

Charlotte Crossland: So it's really that sharing of knowledge and insights and that collaboration that can make digital identity a possibility in government, so teams, practical things that teams can expect from the partnership is like access to the technical documentation that we've been testing, so they've really got to shape what that looks like, they've been able to play around with it. How does that work in their integration environment? It's been really insightful for both parties involved.

Vanessa Schneider: Well, in that case, I really hope more teams will register their interest in the private beta. As after all, as you said, you know, earlier adopters will reap greater rewards in the situation, really shaping what gets done. So Lauren, I know on your side specifically, there was quite an innovative approach with respect to how we use user insight to provide a full picture of the complexities of user lives. Can you explain a little bit more about what that involved?

Lauren Gorton: So that was from our Alpha assessment. So, so during Alpha, rather than using personas, which are the traditional way to basically group your users, we used mindsets instead. So the difference really is that, whilst both tools are used to group your users, you can't focus, unfortunately, on everyone individually, we need a way to, to group our users so that we can see the different types of people using the service, and we can include those in the design process and refer back to it. Personas do that by quite heavily focussing on demographics. So you might create personas where you're having different age ranges from your users represented, represented, different ethnicities, gender - even things like do they have an access need? And then what you do on top of that is say, "OK, so what goals will these different types of users have when they're trying to use a product or service?" So that's how personas work with that very heavy demographic influence. Mindsets are different in that we don't think about demographics at all. Instead, we're trying to group our users based on shared behaviours and attitudes in a, in a particular situation. So mindsets focus much more on the different ways people might behave and the reasons which are driving those behaviours. So sometimes personas are the right tool to use, but there is a risk of things like stereotyping and subconscious bias. And to be honest, just in our, in our context, because our users are everyone in the UK plus international people it is kind of hard to use personas because we'd have to make tens of personas to try and represent that, which just wouldn't be manageable or usable. So we needed a different tool to approach grouping our users to make sure we were designing for everyone. And mindsets kind of naturally [laughs] for researchers are a way to do it. So specifically, we developed our mindsets during Alpha whilst we're doing initial prototype testing. We kept hitting this, the same problem in our journey, that at the point in our journey where we needed users to either create an account or sign in, we were seeing a lot of people choosing to sign in, which was just a bit odd because this was before we'd gone live. So obviously GOV.UK Account was a new account. In theory everyone should be choosing to create an account at that point. And when we spoke to people in the sessions to understand what was happening, what we realised was they were getting confused. They had existing government accounts like a Gateway account or a Verify account, and they were trying to use the credentials from those accounts to, to sign in at that point. They weren't understanding that this was a different type of account and many of the people and different teams in the project looking at different areas of single sign-on, they were seeing the same results as well. So we kind of knew it was a common issue. Naturally we tried to test lots of different variations of the journey to try and resolve that confusion. But the more we were looking at it, the more we could see, there were these, sort of, 5 common groups of participants that we could see coming out of it, and those were the groups that ended up becoming our mindsets. So these mindsets were basically focussing on how much previous experience these participants have of using government services and having government accounts - how confused would they then get at this point in our journey? And really importantly, how were they feeling about that and how were they reacting, what were they saying? So, for instance, participants with very little experience of government services, who didn't have previous accounts, they showed absolutely no confusion at this point in our journey, and their attitude was very much, "OK, fine. If this makes sense, what do I do next?" So those were our clean-slate mindsets, because effectively, that's, that's what that group of users were. But then on the other end of that spectrum, we have participants who, you know, they did have an existing account, like a Gateway account, as an example, and they used it quite frequently. And when they hit this point in our journey, they were getting really confused about what to do. They're trying to sign in, and they weren't understanding our error handling about why they didn't have an account and they were reacting really negatively to it. And there were different reasons why they were reacting negatively. But they kind of all revolve around the issue of single sign-on and the fact that we have multiple sign-ins and accounts that exist today. So for some participants it was the case of, they had a Gateway and it was the only account they'd ever needed because they'd only ever done stuff relevant for Gateway. So they thought that was a single sign-on, and they thought it was a single sign-on because they had the expectation they should only need one account when interacting with government. And for other participants, it was more the case of, they were just frustrated because they'd need to create another account. That's another set of credentials to remember. And they also need to remember where to use those credentials. So, yeah, we found these different groups coming out and ended up with five mindsets overall, which we were then using to input into our design process.

Vanessa Schneider: So you mentioned the Alpha assessment. Can you share a little bit about the feedback that you received?

Lauren Gorton: Yeah, so, so within our Alpha assessment. So we had another user researcher, one from Department for Education, who was our assessor for the user research aspect. So. They were very happy with the mindsets approach. They thought it was a good way to look at user needs and to try and understand our users. So we actually followed that up with a session where we kind of explained mindsets and they did another cross-session where we broke down user needs in a better way. So it was kind of turned into a cross-learning opportunity so that, that was, that was quite nice to do.

Vanessa Schneider: Great, thank you for giving us this overview of mindsets. I was wondering how it might be relevant. How does it strengthen the understanding of complex user needs, maybe beyond single sign-on?

Lauren Gorton: Yeah, definitely. So mindsets they're, they're not unique to single sign-on, they're a really nice tool to use if you want to group users in a different way to personas. So how mindsets were most helpful for us, is, you know, we had a problem that we were trying to understand better why this problem was happening, why people were behaving that way and the reasons driving it. So with our mindsets, they were really useful in designing error scenarios in particular. So we knew, “OK, we've got these groups of users. And at this point in our journey, this group in particular is going to struggle. And the reasons why they're struggling is this. So do we need to put content here to help? Do we need to change the design pattern? If we do that, is that going to impact a different group of mindset?” So it gave us that kind of better picture of how to design with our users in mind and also really help with our user needs as well. So we already had our list of user needs that we had insight on, so we could sort of look at those user needs and say, "OK, do any of these apply more strongly to different mindsets? Therefore, do we need to think about those needs more so when designing for this particular group" and in reverse, we could also say, "OK, now we have these mindsets and we're understanding a bit better why people are behaving the way they are. Can we now see new user needs that we missed before?" So yeah, it's a really nice tool to use that is a general tool. So it goes beyond single sign-on and is really a good way for other government teams to, to better understand the way people will behave and the reasons why.

Vanessa Schneider: You've done user research with citizens now, you've done user research with other departments. How does it feed into the development of the programme?

Lauren Gorton: Yes, so one of our next deliverables in the authentication team will be around account recovery journeys. To create a GOV.UK account, you need to link it to a mobile phone number so that you can authenticate with SMS codes. So when we went live with our MVP [minimum viable product] in October, we knew that account recovery was missing, as a gap for anyone who then loses access for their mobile phone. So it was kind of on our radar as being something that we, we knew we need to-- needed to address at some point after October. Since going live, we have our feedback form, which is one of the best ways for research to really feed into that sort of roadmap and what to work on next. And yeah, in our feedback form we're getting the feedback from people that they are hitting this issue. So that was something that was already planned to do because we'd identified it as a design gap. But the feedback form is helping us to say yes, no, this is definitely a right priority to pursue because people are experiencing that in live. And similarly, also on the themes of mobile codes: again, the feedback form data is also now telling us that the codes are an issue for anyone who lives in a poor signal area and people with international phone numbers, so that's helped us to identify, "OK, actually this is, this is also our next priority the team needs to pick up". So, yeah, we've done some extensive desk research on an alternative to mobile codes, including looking at the whole cyber aspect and security. And we're now doing the design work to introduce an alternative to SMS codes that we can add in as an option for anyone who's either struggling as, as they've told us in our feedback form or who just, they would prefer to use an alternate option.

Charlotte Crossland: Yeah, so I guess our work feeds into both the authentication and the identity product, so our work stream is really committed to delivering and inviting service teams into that auth[entication] onboarding journey. So we're now accepting private beta partner requests for service teams and central government. We'll also be doing groundwork around how to add an account to that onboarding journey, and we'll be looking to publish the technical documentation live on the product page. We're also feeding into the identity stream of the programme as the identity onboarding journey will follow in the third quarter of 2022. So we're really doing that groundwork of developing materials to help teams make decisions around identity strengths, around levels of confidence. And this will ultimately play a central part to that identity onboarding journey. And I think it's not just a one-way approach, so we've been working with identity experts within the programme as well to create an identity tool which uses questions and answers to help teams understand what identity strength could be appropriate for their service. So that's helping us really to bridge that gap between the guidance that is already out there and helping teams make decisions and initial feedback from research has been really fascinating. So by translating some of the logic that GPG 45 sits on, we've been using that and turning it into a really more interactive and accessible format for teams. And we're seeing teams really play around with the tool, and it's really empowering them to consider what solution might be most appropriate for their service. And we're also seeing how these materials could help teams navigate conversations with security or risk teams within that department.

Vanessa Schneider: Brilliant, so you had mentioned the registration for the private beta. How exactly do folks get involved? What are the steps they've got to go through?

Charlotte Crossland: So the easiest way to get involved is to go to sign-in.service.gov.uk. You'll see the GOV.UK Sign-in product page and there'll be a section there saying "Register your interest". So whether you're interested in log-in and authentication or identity, you go to that form and fill it out and then we'll be in touch. And then from there, we'll do a half-hour chat to understand your service at a high level and you'll be then in our pipeline, where you'll be triaged to the relevant next steps.

Vanessa Schneider: So if you're part of a service team in government and if all of this has piqued your interest, get in touch. And if you want to go back to the previous episodes on digital identity and other topics, you can listen to all episodes of the Government Digital Service podcast on Spotify, Apple Podcasts and all other major podcast platforms and the transcripts are available on Podbean. Goodbye.

Lauren Gorton: Bye.

Charlotte Crossland: Bye.