Skip to main content

Delivering Identity Assurance: You must be certified

Posted by: , Posted on: - Categories: GOV.UK One Login

We need to be sure that before any of the identity assurance framework suppliers begin providing services to departments, they are certified as being capable of delivering proof of identity as defined in the Government's Good Practice Guides.

The Cabinet Office has joined a standards certification organisation (tScheme), who will be one of the initial certification bodies to provide the necessary independent assessment of the framework suppliers for compliance with the guides.

What does certification mean?

When a provider is certified it means they have demonstrated that they have met standards for providing a trusted, reliable and secure service. Those standards are defined and published by the Cabinet Office and the National Technical Authority (CESG).

Certification will also mean that standards are consistently applied and the identities they prove are reusable across national and local government.


tScheme is an independent, industry-led, self-regulatory scheme. It was set up to create strict assessment criteria, based on industry best practice, for Trust Services (professional assurance and advisory services that address the risks and opportunities of digital technology) such as Identity Assurance.

It’s similar to the US Kantara Initiative, and we are working with both to try and ensure that their certifications are globally interoperable and mutually recognised.

Membership of tScheme is available to all interested sectors of industry, and a broad range of organisations are already represented and contributing to its development.

tScheme particularly welcome the contributions from representatives of end users – people who need to rely on Trust Services.

What does this mean for suppliers?

Certification provides suppliers with a consistent benchmark for their services, and gives them confidence that their services are robust and reliable. It is how government, and users, will know that the suppliers can be trusted.

Organisations who play a part in a process like Identity Assurance must be trusted to protect and manage user data, and users must remain in control of the data they disclose and how it is used.

Sharing and comments

Share this page


  1. Comment by simonfj posted on

    Hey Steve,

    Just a quick note, as I'm not sure whether you're aware of what's happening on the research networks. It's a fairly long video, But it touches on what you're doing with the cloudstore (about 3/4 of the way in). Federated services is taken for granted. Might be useful to look at the global open research/government approach.

    One thing would be useful, as a post, is how you expect local, and national, government services to align around the user. And where will the user's files be stored, especially for the health stuff. I'm still a bit lost on the UK approach to IDA. I can't help but feel the design got knocked off track by some well-intention privacy experts.

    I know we might get a single sign to a bunch of services, whereas I've never seen a discussion about personalization. So I know what is to be delivered won't be up to a Google user's expectations. But you'll never satisfy everyone. Regardless, it's all your fault 🙂 not mine for a change)

  2. Comment by Mani posted on

    What will be role or strengths of each individual supplier? Also where can I read about Identity Assurance framework?

    • Replies to Mani>

      Comment by stevewreyford posted on

      Thanks for your questions,

      Information about the framework should be available on the Government Procurement Service website shortly.

      Regarding the role or strengths of the suppliers, all suppliers who are successfully called off the framework to provide ID Assurance services will need to provide a service in line with the standards as laid out in our Good Practice Guides. As long as the standards can be met and the supplier certified by our recognised Assessors (see this post) we have not specified any preferred solution by which the provider will assure the identity with the user. This will enable us to benefit from innovation and allow novel and SME providers to participate in the future.

  3. Comment by stevewreyford posted on

    Thanks for your reply,

    We (IDAP) are currently building a single platform that any department which wants to can use. As departments come on board, users will (subject to their choice) be able to use a single log on to access multiple services.

  4. Comment by baragouiner posted on

    Page 16 of the HMRC Digital Strategy says:
    "The HMRC Digital Solutions Programme (DSP) will deliver a government wide capability that implements a package of measures including new identity verification processes that proves that customers are who they say they are."

    How does this HMRC work relate to the DWP work on identity for Universal Credit?

    • Replies to baragouiner>

      Comment by stevewreyford posted on

      Thank you for your comments.

      Regarding the provider's certification, being on the supplier framework does not guarantee an active (call-off) contract. The award of a call-off contract and the provision of identity services by a supplier will depend on the supplier meeting certain requirements, including certification.

      The HMRC work relates in the same way as any central government department wanting to access online identity assurance services. These services are being created as a cross-government 'platform' that will benefit users by being reusable for any online government service requiring proof of identity.

      Hope this answers your questions.

      • Replies to stevewreyford>

        Comment by baragouiner posted on

        Thanks Steve.

        Sorry - I'm sure I'm making a balls-up of understanding this. Why are HMRC and DWP building their own 'platforms' that any online government service requiring proof of identity can use? I thought that the DWP / Universal Credit work was THE platform that all other departments would use. Are you saying that there'll be multiple platforms? With a single log in?

  5. Comment by baragouiner posted on

    Possibly a silly question - and I may not be reading the article correctly - but shouldn't the providers be certified *before* being appointed?