The government’s Gov.uk One Login digital identity system has lost its certification against the government’s own trust framework for digital identity systems.
Computer Weekly has learned that a key technology supplier to One Login chose to allow its certification to lapse, and as a result, One Login has also been removed from the official accreditation scheme.
All suppliers of digital identity systems in the UK are expected to comply with the Digital Identity and Attributes Trust Framework (DIATF) if their software is to be used for any public services.
For example, companies that wish to provide identity verification for services such as right to work, right to rent or the Disclosure and Barring Service for vetting individuals, must conform with DIATF. More than 50 online government services already use One Login, and further services are planned that will expand the scope of DIATF registration. Currently, more than 50 products have received certification against the framework.
The Government Digital Service (GDS) achieved DIATF approval for One Login in December 2024, ahead of the announcement by technology secretary Peter Kyle in January that One Login would be used for identity verification for the forthcoming Gov.uk Wallet, which will store digital versions of official documents such as driving licences.
Kyle’s announcement caused shockwaves among existing DIATF suppliers, which saw the government entering the commercial sector and potentially competing with their products.
However, the use of One Login must be called into question while its DIATF certification has lapsed. The system uses technology from supplier iProov as part of the biometric authentication process for users proving their identity. Last month, iProov failed to renew its DIATF compliance, so the One Login registration automatically expired.
A government spokesperson said: “As we continue to update the beta Trust Framework, providers are required to recertify themselves to show they meet our requirements – where this does not happen or they choose not to, they are removed from the list.”
How is the government’s flagship digital identity system failing to meet standards so badly? Tim Clement-Jones, Liberal Democrats
The Data (Use and Access) Bill currently going through Parliament will introduce the enabling legislation required for One Login to move from “beta” status to a statutory service. However, the system has been in use since 2022 and already has six million users.
A spokesperson for iProov said: “iProov holds a number of certifications, both in the UK and internationally, which we regularly review against customer requirements. Following a standard review, our Trust Register [DIATF] certification was allowed to lapse. We will look to recertify in line with customer requirements.”
The loss of One Login’s certification follows a series of revelations about security and data protection concerns around the system.
GDS was warned by the Cabinet Office in November 2022 and the National Cyber Security Centre (NCSC) in September 2023 that its One Login digital identity system had “serious data protection failings” and “significant shortcomings” in information security that could increase the risk of data breaches and identity theft.
GDS said the concerns were “outdated” and arose “when the technology was in its infancy in 2023”, despite One Login being used at that time to support live services. “We have worked to address all these concerns as evidenced by multiple external independent assessments. Any suggestion otherwise is unfounded,” said a spokesperson.
However, Computer Weekly also revealed that the One Login team has yet to fully meet NCSC guidelines – the system only complies with 21 of the 39 outcomes detailed in the NCSC Cyber Assessment Framework (CAF) – an improvement on the five outcomes it successfully followed a year ago.
The One Login development team is also yet to fully implement the government’s Secure by Design practices, although GDS says the system “meets these principles”.
But the fact that One Login has been shown to have had serious cyber security and data protection issues, followed by a lack of full compliance with NCSC guidelines, and now losing its DIATF certification, raises significant questions about the use of One Login for critical digital public services.
Peer Tim Clement-Jones, the Liberal Democrat digital spokesman, said: “How is the government’s flagship digital identity system failing to meet standards so badly, given that it is expected to shortly form an essential part of our immigration controls? We need answers and quickly.”
According to the Government Cyber Security Standard, all critical IT systems must conform with CAF and Secure by Design Principles, while DIATF certification is mandatory for digital identity systems linked to public services.