Gov.uk One Login yet to meet government cyber security standards for critical public services
The government’s flagship digital identity system still does not fully conform to key national security standards three years after launch, while questions remain over whether historic security problems have been resolved
The Government Digital Service (GDS) has yet to achieve conformance with key national cyber security standards for its Gov.uk One Login digital identity system, nearly three years since security concerns were first raised.
The One Login team is still working to fully meet National Cyber Security Centre (NCSC) guidelines. Computer Weekly has learned that the team only complies with 21 of the 39 outcomes detailed in the NCSC Cyber Assessment Framework (CAF) – an improvement on the five outcomes it successfully followed a year ago.
CAF is designed for “making critical national services resilient to [cyber] attack”, according to the government. It was developed by the NCSC to provide a “comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible”. CAF is part of GovAssure, a cyber resilience review process run by the Government Security Group (GSG), which was launched in April 2023.
One Login is intended to become the primary way for citizens to access online public services. In 2022, the business case for One Login, which was used to justify over £330m of spending on the project, said the system was “underpinned” by CAF – a claim that must be called into question if only five measures were in place as recently as 2024.
Recently assessed
CAF includes 39 “contributing outcomes”, each with a number of lower-level “indicators of good practice” (IGPs). Systems are rated on a binary basis, whereby failing to meet one IGP results in not meeting the overall outcome, even if all other related IGPs have been met.
One Login was recently assessed as part of a GovAssure review, which found that in the space of a year, the GDS digital identity team had moved from meeting only five of the 39 CAF outcomes to 21.
GDS says CAF assessors noted One Login’s “understanding of cyber security” and that plans are in place to achieve the “exceedingly high standards” of CAF conformance by the end of the year.
Nonetheless, One Login has been live since June 2022, and with more than three million users, it is precisely the sort of critical system for which the “very robust levels of cyber security and resilience” required by the NCSC in establishing CAF should apply.
Furthermore, the Government Cyber Security Standard mandates that all digital services should comply with Secure by Design (SBD) Principles. Computer Weekly has learned that the GDS digital identity team is also yet to fully implement SBD, although GDS says the system “meets these principles”.
GDS was due to go live with SBD by January this year, but has delayed its full implementation until at least October.
This led to the Ministry of Defence asking questions of the One Login team about SBD conformance as part of plans to store an electronic version of its Armed Forces Veterans Card in the Gov.uk digital wallet.
GDS says formal accreditation against the Secure by Design framework does not yet apply to One Login and that while such accreditation cannot currently be formally secured, it is “inaccurate to report” that GDS or One Login does not meet Secure by Design Principles.
Historic problems
However, the concerns over One Login’s overall conformance with NCSC and GSG guidelines come soon after the disclosure of historic security problems in One Login.
Following those warnings – and earlier issues flagged by a security expert who has since turned whistleblower in an attempt to raise the concerns more widely – a team led by GDS chief information security officer (CISO) Breandan Knowlton conducted an internal risk audit in October 2023 to assess the severity of the issues.
Given that One Login is intended to be the key way of accessing public services online, this is deeply concerning. Are we about to see another Verify fiasco? Ministers need to take a direct grip of this
Tim Clement-Jones, Liberal Democrats
GDS has now responded to those claims with a detailed breakdown of how the problems identified in 2022 and 2023 have been addressed (see table below), but questions remain over why the service was allowed to go live with known security risks.
A government spokesperson said: “The concerns captured are outdated and summarise an initial view from when the technology was in its infancy in 2023. We have worked to address all these concerns as evidenced by multiple external independent assessments. Any suggestion otherwise is unfounded.
“Gov.uk One Login follows the highest security standards for government and private sector services – including dedicated 24/7 eyes-on monitoring and incident response. As the public rightly expects, protecting the security of government services and the data and privacy of users to keep pace with the changing cyber threat landscape is paramount.”
Peer Tim Clement-Jones, the Liberal Democrat spokesman for the digital economy in the House of Lords, has submitted a series of Parliamentary questions to the Department for Science, Innovation and Technology asking for details of the security surrounding One Login. He expressed further concerns about the current cyber security conformance of the system.
“Given that One Login is intended to be the key way of accessing public services online, this is deeply concerning. Are we about to see another Verify fiasco? Ministers need to take a direct grip of this,” he said.
CISO review
Computer Weekly has seen details of the GDS CISO’s 2023 review findings, which listed a series of risks and rated each of them from “low” to “extremely high”. We asked GDS to provide an update on each of the risks based on their status today, which is detailed in the table below.
Anecdotal evidence from sources close to consultancy 6point6, which was brought in to support the One Login team for security assurance, paints a picture of a team that previously had insufficient security knowledge, weak controls and few standards.
GDS’s claims of progress in resolving One Login’s security problems suggest the situation has improved and that issues are being addressed – but questions remain about how and why One Login was originally allowed to go live with known issues and lacking conformance with key government standards expected of all critical online public services.
The whistleblower – who Computer Weekly has agreed not to name, but who has many years of cyber security experience and worked in a senior information security management role at GDS – said it is “not possible” to confirm whether any historic or current security problems have been resolved without independent verification of GDS’s response.
“The unverified claim to have achieved 21 out of 39 contributing outcomes in CAF cannot be believed and the true score will only be known if operationally independent assurance is allowed full access to the One Login programme,” he said.
GDS update on 2023 One Login cyber security risk report
The following table contains the risks identified by the GDS chief information security officer (CISO) in an October 2023 review of the One Login digital identity system (left column), along with the CISO’s initial assessment of the risk level, alongside the revised risk level following consultation with the GDS digital identity team responsible for One Login.
The right-hand column is GDS’s response when asked by Computer Weekly to provide an update on the status of each risk. The responses provided by GDS have not been verified by Computer Weekly and are as provided by GDS.
Risk reported by GDS CISO in October 2023
CISO initial assessment
Revised assessment after consulting with GDS Digital ID team
GDS response in April 2025
Information assurance (IA) recommended controls for end-user devices not applied
High
High
Controls have since been put in place.
Excessive numbers of GitHub administrators
High
High
The number of GitHub administrators represents a very small proportion of those who work on the programme.
Secure by Design has been an afterthought in the DI project
High
Medium
This was resolved in 2023 when we introduced a standard set of security deliverables to facilitate a Secure by Design approach across Gov.uk One Login, aligning to the current Gov.uk Secure By Design checklist. This was applied to all new and existing functionality.
Excessive interactive logins to Production Environments
High
High
There is logging of all actions in production for audit purposes. Our approach to managing this aligns with the alerting rules with industry standards such as MITRE ATT&CK for comprehensive detection.
Changes made to code are not all through CI/CD pipelines rather than interactively
Extremely High
Extremely High
CI/CD pipelines have always been used and there was migration to a centralised pipeline that was completed in late 2023, except for one component which is still migrating and due to be completed in two months. Mitigations for this migration are in place and include ongoing security assessments using static and dynamic application security tooling.
Access to Production is being performed by non-SC [Security Check] cleared individuals
Extremely High
High
There is no access to production for non-SC cleared individuals. The programme has adopted a higher standard than typical government programmes to require SC clearance for access to production.
Overseas staff have access to Production Environments
Extremely High
Medium
There are no overseas staff with access to production.
Code written by overseas staff is not being reviewed by UK-based SC-cleared personnel
Extremely High
Medium
Any code that was produced by overseas staff was subjected to a review by SC-cleared staff in the UK before it was deployed to production.
AWS native security tooling is reporting 520,000 vulnerabilities ranging from “low” to “critical”
High
High
This number is highly misleading and is from a period where we had just deployed a new tool and were running it in debug mode while we tuned it. Upon completion of the analysis, the number of valid alerts was around 0.07% of the figure shared. All “critical” and “high” alerts have been remediated since then.
AWS Config is set to show vulnerabilities at “medium” but some may be higher
Medium
Medium
We have since used multiple sources to check for security vulnerabilities. The alerts from AWS Config were reviewed and, as required, upgraded, tracked and managed as “critical” or “high” findings. New functions have since been established to address alerts in a rapid and robust way.
Digital Identity team was unprepared to engage with the GDS IA team, who could be providing a more independent second line assurance function
Medium
Low
The end-to-end Gov.uk One Login service is penetration tested at least once a year by an independent NCSC CHECK-accredited provider. Internal checks also routinely take place from other teams within GDS.
Tooling that has not gone through the appropriate assurance process is likely being used on devices outside of GDS control (such as staff-owned devices, external service provider devices)
Medium
Medium
There is a “Using software on One Login” process that aligns and integrates with the central GDS “Request new software and view current software” process.
There is a lack of appropriately skilled security resources working on the DI programme
Medium
Low
Our security team has a very experienced and capable team that possesses a range of qualifications, including NCSC Head Consultants and other industry standard qualifications such as CISSP, SABSA, CRISC, CISM, ISO27001, CIPP/E.
There is a level of security debt in DI resulting from inadequate security consideration at the outset
High
High
We have addressed and are managing security debt. Going forward, as above, we are implementing Secure by Design.
CAF IGP in B6.a Cyber Security Culture could not be met – IGP one: “Your executive management clearly and effectively communicates the organisation’s cyber security priorities and objectives to all staff. Your organisation displays positive cyber security attitudes, behaviours and expectations.”
High
Medium
This risk has been further mitigated with regular communication internally from senior officials. Staff are encouraged to raise questions and concerns, with multiple channels to do so available.
CAF IGP in B6.a Cyber Security Culture could not be met IGP two – “People in your organisation raising potential cyber security incidents and issues are treated positively.”
High
Medium
Raising potential cyber security incidents is encouraged. This has been evidenced in recent phishing simulations where attacks to targeted individuals did not result in compromise and were quickly reported.
CAF IGP in B6.a Cyber Security Culture could not be met IGP five – “Your organisation communicates openly about cyber security, with any concern being taken seriously.”
High
Medium
As above.
CAF IGP in B6.a Cyber Security Culture could not be met IGP six – “People across your organisation participate in cyber security activities and improvements, building joint ownership and bringing knowledge of their area of expertise.”
Medium
Medium
In addition to the above tests, there are a number of governance forums which collate multiple disciplines, for example a Technical Policy Approval Board and architecture Design Review Board, which work to deliver cross-programme activities which include cyber security.
An independent second line assurance function is needed for more security and assurance oversight
High
Medium
We have conducted multiple independent reviews of security assurance with support and guidance from NCSC for external expert advice in remediation.
Unilateral creation of a first-line of assurance function which does not share risk reports or details of approved tools & services with GDS IA (trying to act as an independent 2nd line)
High
Medium
We work actively across GDS and with NCSC to ensure best practice in assurance, which has been externally validated in the programme’s security assurance approach and capability.
DI failed to engage GDS IA before launching a service
Medium
Medium
This statement is incorrect. We have always sought and actively engaged and consulted the GDS Information Security team.
The developers with Administrator privileges but without SC include Deloitte staff in Romania.
Extremely High
Medium
There were never any developers in Romania with higher levels of privileges or access. In line with the SC policy, there was a two-step code merge process with production code always being reviewed by a UK-based, SC-cleared developer before it was merged.
Offshoring risk has been improperly transferred
High
Medium
A risk assessment was undertaken, in consultation with NCSC before any offshore development was agreed. The risk is still owned and actively tracked by One Login.
Estonian and Spanish processing of personal information is also taking place
Medium
Medium
Both countries cited are EU countries. The transfer is covered by the UK adequacy regulations.
