The Gov.uk One Login system for digital identification has lost its certification in accordance with the government’s trust framework. Computer Weekly has learned from a key technology provider to One Login that they allowed their certification to lapse. As a result, One Login was also removed from the official accreditation program.
In the UK, all suppliers of digital identification systems are expected to comply with Digital Identity and Attributes Trust Framework. DIATF () if any of their software is going to be used in public services.
In December 2024, the Government Digital Service (GDS), a division of the Department of Technology, achieved DIATF approval of One Login, before Peter Kyle announced in January that One Login will be used to verify identity for the Gov.uk Wallet which will store digital versions for official documents like driving licences.
Kyle’s announcement sent shockwaves through the DIATF supplier community, as the government was now entering the commercial sector to compete with their products.
Nevertheless, the use One Login is in question as its DIATF certification is lapsed. The system uses iProov technology as part of its biometric authentication process to verify the identity of users. Last month, iProov did not renew its DIATF certification, so One Login registration expired automatically.
According to a government spokesperson, “As we update the beta Trust Framework providers are required to recertify to show that they meet our requirements. Where this does not occur or they choose to not do so, they are removed.”
Why is the government’s flagship system for digital identity failing to meet standards? Tim Clement Jones, Liberal Democrats
Data (Use and Access) Bill is currently being debated in Parliament and will introduce the necessary legislation to make One Login a statutory service. The system has been in operation since 2022, and has already attracted six million users.
An iProov spokesperson said: “iProov has a number certifications, both internationally and in the UK, which we review regularly against customer requirements. After a standard review our Trust Register [DIATF] certificate was allowed to expire. We will recertify to meet customer requirements.”
One Login’s loss of certification follows a series revelations about data and security concerns surrounding the system.
GDS received warnings from the Cabinet Office and the National Cyber Security Centre in September 2023, that the One Login digital identification system had “serious” data protection failures and “significant” information security flaws that could increase the risks of data breaches and id theft.
GDS stated that the concerns were “outdated”and arose when the technology was “in its infancy in the year 2023″even though One Login was being used to support live services at the time. “We have addressed all these concerns, as evidenced in multiple independent external assessments. A spokesperson said that any suggestion to the contrary is unfounded. Computer Weekly revealed that One Login has not yet fully met NCSC guidelines. The system only meets 21 of the 39 outcomes listed in the NCSC Cyber Assessment framework – an upgrade from the five outcomes that it successfully followed one year ago.
However, the fact that One Login was found to have serious cyber security and privacy issues, then a lack of compliance with NCSC guidelines and now losing its DIATF certificate raises significant concerns about the use One Login in critical digital public services.
Tim Clement-Jones is the Liberal Democrat’s digital spokesman. He said: “How can the government’s flagship system for digital identity fail to meet standards, when it is expected to soon form an essential component of our Immigration control? “We need answers quickly.”
