Skip to main content

https://gds.blog.gov.uk/2022/08/24/an-update-on-one-login-for-government/

An update on One Login for Government

The mission patch for the launch of the One Login identity app shows 2 bees next to each other, with August 2022 identifying the date it marks.

Our mission to build one fast, simple and secure way for people to access government services is both relatively straightforward, and hugely complex. Validating somebody’s identity so they can access services is mostly a ‘solved problem’ across government. Patterns and processes have grown up over time, and people are able to prove their identity, even though their experiences might be suboptimal, and they might face different hurdles and repetitive steps for different services. But here’s the thing: no one department or service is doing it all well.

It’s been nearly a year since I became the Single Responsible Owner of the One Login for Government programme, and it’s true when they say that time flies when you’re having fun. I can’t believe it’s been a year already! I remember arriving last September and giving my first ever external-facing presentation and now we’ve got products in beta, a packed dance card for services who want to work with us, and we are well on our way to building up the product suite that our government partners have asked for.

So what are my reflections and what have I learned? First of all, the Government Digital Service, or GDS, is a great place to be. It’s full of bright, enthusiastic people who care passionately about what we’re doing and making our single sign-on and identity-checking solution as easy to use and inclusive for users as we possibly can. There’s a great sense of purpose and real buzz in the air.

Delivering at pace

So, really, my first job was to work out what already exists and negotiate myself to a position of being able to ‘steal with pride’ the excellent work that’s gone on in other departments in this area.

As one of my key stakeholders said to me, “If you can bring the best of the best under one product set, you’re all set, you’ll be the market leader in government”. So that’s what we’re working towards… at pace!

We’ve got an initial version of our browser-based route - with a passport check and knowledge-based verification - in limited beta with our partners, the Disclosure and Barring Service. We’ve got an identity-checking app for people with driving licences in beta with HMRC for Government Gateway users, and credible plans for passports and Biometric Residence Permits to be added soon. We’re actively working on digital vouching, a face-to-face route, and new knowledge-based verification question sets that leverage government data – all of which will make identity checks more inclusive.

We’re most definitely underway in terms of delivery. We’re building the things that departments have told us they need and we’re standing on the shoulders of all the great work and research that’s already been done across government, so we’re not starting from scratch.

Understanding what success looks like

That’s the relatively straightforward bit. Working with departments to migrate their services in a way that makes sense for them and their users is the complex bit – particularly if you don’t want everyone you migrate to have to prove their identity again.

The legacy and diversity of identification methods across government means that there’s quite a lot of analysis work to be done to map existing processes to the Good Practice Guide (GPG) framework and understand the relative levels of assurance they need. There’s a trade-off between the veracity of the process and the percentage of people who will get through it, so departments have set their assurance levels in light of this.

We’ve spent a lot of time working to understand what’s really important to users and departments, and then building our roadmap and plan to focus on these key metrics. This has been really interesting because departments all have slightly different success criteria, and within their own organisations have optimised around different things based on their user groups.

One thing that does seem to be consistently important is the percentage of eligible users who make it through an identity verification route successfully. More on this in a subsequent blog post, no doubt, but working to understand different service needs and the implications of variations of numbers of users via different channels has been really helpful in determining our near-term goals.

So, we’ve made big steps forward in terms of building the things that departments have asked for, and this will remain our core focus for the next six months at least. However, in parallel, we’re starting to work through the complexities of user migration, how our account functionality needs to work, and how we can start to reuse identities verified in one place to access services in another.

We’re also thinking about how we can start to influence user behaviour when they’re on GOV.UK, so that being ‘logged in’ becomes a default behaviour, because it ‘unlocks’ other things and improves user experience.

It’s been a great first year and I’m looking forward to the next one!

If you work on a public government service with authentication and/or identity validation needs, get in touch with our team.

Sharing and comments

Share this page

10 comments

  1. Comment by Simon posted on

    Hi, Interesting read, my comment is slightly off topic. I can see the initial focus on central government. The public expect local government to share some commonality - not necessarily one central/local Login, but to work in the same way. You'd increase the take-up rate of GDS functionality and return from investment if some of the underpinning APIs could be exposed for wider use both in the wider public and private sectors. For example: DVLA has told me it has no API to validate driving licences - but think of all the systems that would use it in their anti-money laundering verification, benefitting both efficiency and helping combat fraud.

    • Replies to Simon>

      Comment by Natalie Jones posted on

      Hi Simon,

      We agree there is value in a consistent approach across central and local government. Right now, we’re focused on central government but this is something we’re keen to explore in the future and we continue to work with local government representatives.

      Thanks,
      Natalie Jones

  2. Comment by Adrian Field posted on

    GPG45 refers to levels of confidence as L/M/H/VH, but GOV.UK Sign In is using Vectors of Trust, which is a different standard (IETF RFC8485).

    Will GOV.UK Sign In be aligned to GPG45 and the DCMS DIATF framework in the future?

    • Replies to Adrian Field>

      Comment by Natalie Jones posted on

      Hi Adrian,

      We use open standards and the term ‘level of confidence’ consistently as we have found this helps integrating services understand its purpose.

      The Vectors of Trust standard provides a good way to communicate several aspects of a digital identity transaction, including the level of confidence. We represent the level of confidence as the ‘Identity Proofing (P)’ component dimension in the vector.

      You can read more about this in our technical documentation on the product page.

      We are working closely with DCMS to make sure the trust framework and One Login for Government solution align.

      Thanks,
      Natalie

      • Replies to Natalie Jones>

        Comment by Adrian Field posted on

        This doesn't answer my question; GPG45 and VoT are two different open standards, with inconsistent use of 'level of confidence' across the two standards. This is not alignment and will cause differences in expectations.

        Will One Login adopt GPG45 in the future (and move away from VoT)?

        • Replies to Adrian Field>

          Comment by Natalie Jones posted on

          Hi Adrian,

          GPG45 is a guide to proving and verifying someone's identity. It's not a technical standard that's equivalent or incompatible with the Vector of Trust. The VoT standard does propose some definitions for proofing level that may be used. We have aligned to GPG45.

          Thanks,
          Natalie

  3. Comment by David Gardner posted on

    You might want to avoid using terms like 'Beta' as many members of the public that might be reading this may not understand the term. Otherwise - good read.

    • Replies to David Gardner>

      Comment by The GDS Team posted on

      Hi David,

      We appreciate your feedback and have updated the blog post to include a link that explains what Natalie means by “beta”.

      Thanks,
      The GDS Team

      • Replies to The GDS Team>

        Comment by Geoff Simpson posted on

        On the back of David's comment, can you also avoid using words like 'veracity'. Maybe it's just me, but I had to look up what it means. It was an interesting post though.

        • Replies to Geoff Simpson>

          Comment by The GDS Team posted on

          Hi Geoff,

          We try to follow the GOV.UK content design guidance for blogging, which encourages clear and simple language choices, so we recognise and appreciate your point, as we also balance this with the authenticity of the tone of voice of any post’s author.

          Thanks,
          The GDS Team