Computer Weekly has learned that a key technology supplier to One Login chose to allow its certification to lapse, and as a result, One Login has also been removed from the official accreditation scheme.
All suppliers of digital identity systems in the UK are expected to comply with the Digital Identity and Attributes Trust Framework (DIATF) if their software is to be used for any public services.
For example, companies that wish to provide identity verification for services such as right to work, right to rent or the Disclosure and Barring Service for vetting individuals, must conform with DIATF. More than 50 online government services already use One Login, and further services are planned that will expand the scope of DIATF registration. Currently, more than 50 products have received certification against the framework.
The Government Digital Service (GDS) achieved DIATF approval for One Login in December 2024, ahead of the announcement by technology secretary Peter Kyle in January that One Login would be used for identity verification for the forthcoming Gov.uk Wallet, which will store digital versions of official documents such as driving licences.
Kyle’s announcement caused shockwaves among existing DIATF suppliers, which saw the government entering the commercial sector and potentially competing with their products.
However, the use of One Login must be called into question while its DIATF certification has lapsed. The system uses technology from supplier iProov as part of the biometric authentication process for users proving their identity. Last month, iProov failed to renew its DIATF compliance, so the One Login registration automatically expired.
A government spokesperson said: “As we continue to update the beta Trust Framework, providers are required to recertify themselves to show they meet our requirements – where this does not happen or they choose not to, they are removed from the list.”
How is the government’s flagship digital identity system failing to meet standards so badly?
Tim Clement-Jones, Liberal Democrats
The Data (Use and Access) Bill currently going through Parliament will introduce the enabling legislation required for One Login to move from “beta” status to a statutory service. However, the system has been in use since 2022 and already has six million users.
A spokesperson for iProov said: “iProov holds a number of certifications, both in the UK and internationally, which we regularly review against customer requirements. Following a standard review, our Trust Register [DIATF] certification was allowed to lapse. We will look to recertify in line with customer requirements.”
The loss of One Login’s certification follows a series of revelations about security and data protection concerns around the system.
GDS said the concerns were “outdated” and arose “when the technology was in its infancy in 2023”, despite One Login being used at that time to support live services. “We have worked to address all these concerns as evidenced by multiple external independent assessments. Any suggestion otherwise is unfounded,” said a spokesperson.
The One Login development team is also yet to fully implement the government’s Secure by Design practices, although GDS says the system “meets these principles”.
But the fact that One Login has been shown to have had serious cyber security and data protection issues, followed by a lack of full compliance with NCSC guidelines, and now losing its DIATF certification, raises significant questions about the use of One Login for critical digital public services.
Peer Tim Clement-Jones, the Liberal Democrat digital spokesman, said: “How is the government’s flagship digital identity system failing to meet standards so badly, given that it is expected to shortly form an essential part of our immigration controls? We need answers and quickly.”
According to the Government Cyber Security Standard, all critical IT systems must conform with CAF and Secure by Design Principles, while DIATF certification is mandatory for digital identity systems linked to public services.
Companies House goes live with One Login ID verification: People can verify their identity with Companies House using Gov.uk One Login as the central government body becomes the 36th service to start using the digital identity system.
