The federal government’s Gov.uk One Login digital identification system has misplaced its certification towards the federal government’s personal belief framework for digital identification programs.
Laptop Weekly has realized {that a} key expertise provider to One Login selected to permit its certification to lapse, and in consequence, One Login has additionally been faraway from the official accreditation scheme.
All suppliers of digital identification programs within the UK are anticipated to adjust to the Digital Id and Attributes Belief Framework (DIATF) if their software program is for use for any public companies.
For instance, firms that want to present identification verification for companies similar to proper to work, proper to lease or the Disclosure and Barring Service for vetting people, should conform with DIATF. Greater than 50 on-line authorities companies already use One Login, and additional companies are deliberate that can broaden the scope of DIATF registration. At the moment, greater than 50 merchandise have acquired certification towards the framework.
The Authorities Digital Service (GDS) achieved DIATF approval for One Login in December 2024, forward of the announcement by expertise secretary Peter Kyle in January that One Login can be used for identification verification for the forthcoming Gov.uk Pockets, which can retailer digital variations of official paperwork similar to driving licences.
Kyle’s announcement prompted shockwaves amongst present DIATF suppliers, which noticed the federal government coming into the business sector and probably competing with their merchandise.
Nevertheless, the usage of One Login should be known as into query whereas its DIATF certification has lapsed. The system makes use of expertise from provider iProov as a part of the biometric authentication course of for customers proving their identification. Final month, iProov didn’t renew its DIATF compliance, so the One Login registration mechanically expired.
A authorities spokesperson mentioned: “As we proceed to replace the beta Belief Framework, suppliers are required to recertify themselves to point out they meet our necessities – the place this doesn’t occur or they select to not, they’re faraway from the record.”
How is the federal government’s flagship digital identification system failing to fulfill requirements so badly? Tim Clement-Jones, Liberal Democrats
The Information (Use and Entry) Invoice presently going via Parliament will introduce the enabling laws required for One Login to maneuver from “beta” standing to a statutory service. Nevertheless, the system has been in use since 2022 and already has six million customers.
A spokesperson for iProov mentioned: “iProov holds plenty of certifications, each within the UK and internationally, which we frequently assessment towards buyer necessities. Following a regular assessment, our Belief Register [DIATF] certification was allowed to lapse. We’ll look to recertify according to buyer necessities.”
The lack of One Login’s certification follows a collection of revelations about safety and knowledge safety issues across the system.
GDS was warned by the Cupboard Workplace in November 2022 and the Nationwide Cyber Safety Centre (NCSC) in September 2023 that its One Login digital identification system had “severe knowledge safety failings” and “important shortcomings” in info safety that might enhance the chance of information breaches and identification theft.
GDS mentioned the issues had been “outdated” and arose “when the expertise was in its infancy in 2023”, regardless of One Login getting used at the moment to assist dwell companies. “We have now labored to handle all these issues as evidenced by a number of exterior impartial assessments. Any suggestion in any other case is unfounded,” mentioned a spokesperson.
Nevertheless, Laptop Weekly additionally revealed that the One Login workforce has but to completely meet NCSC tips – the system solely complies with 21 of the 39 outcomes detailed within the NCSC Cyber Evaluation Framework (CAF) – an enchancment on the 5 outcomes it efficiently adopted a 12 months in the past.
The One Login growth workforce can also be but to completely implement the federal government’s Safe by Design practices, though GDS says the system “meets these rules”.
However the truth that One Login has been proven to have had severe cyber safety and knowledge safety points, adopted by a scarcity of full compliance with NCSC tips, and now shedding its DIATF certification, raises important questions on the usage of One Login for essential digital public companies.
Peer Tim Clement-Jones, the Liberal Democrat digital spokesman, mentioned: “How is the federal government’s flagship digital identification system failing to fulfill requirements so badly, provided that it’s anticipated to shortly type an important a part of our immigration controls? We’d like solutions and shortly.”
In accordance with the Authorities Cyber Safety Normal, all essential IT programs should conform with CAF and Safe by Design Rules, whereas DIATF certification is necessary for digital identification programs linked to public companies.
