One Login 18 steps short of complying with UK national cybersecurity framework

Gov.uk One Login is struggling to satisfy the cybersecurity expectations the Government Digital Service says it is underpinned by, a new report states, calling into question the wisdom of expanding the program into new use cases, like private sector digital identity interactions.

The One Login system was introduced in 2021 as a single sign-on (SSO) digital identity platform for access to public services. A 2022 business case said it was underpinned by the Cyber Assessment Framework managed by the National Cyber Security Centre (NCSC). The government set aside 330 million pounds to bring the system to production.

The Framework specifies 39 outcomes that national services should comply with to make them resilient against cyber attacks. But One Login complies with only 21, according to a Computer Weekly report based on a review by national cybersecurity auditor GovAssure.

That is an improvement on 5 out of 39 met as of 2024, Computer Weekly says.

The 39 outcomes the CAF specifies as contributing to cyber resilience are broken down into “indicators of good practice,” each of which must be present to satisfy the desired outcome.

The report details a history of warnings about the system’s security, and notes that the GDS has pushed back the completion target for its implementation of Secure by Design Principles from January to October.

The 2025 response from GDS to the One Login cybersecurity risk report shows that of five “extremely high” risks assessed in 2023, three have been downgraded to “medium” risks, one is rated “high,” and one remains unchanged. Of 12 high risk areas, seven have been reduced to “medium,” while the other five are unchanged.

The introduction of the Gov.uk digital wallet and the certification of One Login under the Digital Identity and Attributes Trust Framework has sparked concern among private sector digital ID and biometrics providers, and calls for the project’s scope to be limited.

GovAssure and the targeted improvement plan

Cybersecurity assurance scheme GovAssure was launched in 2023 to replace and extend the functions of the Departmental Security Health check, according to a promotional video produced by the Cabinet Office the year of its launch.

The video describes the outcomes-based approach of GovAssure, and the five stage assessment process it uses. The independent assurance review is the fourth step in the process, and is carried out by an accredited independent assessor. The final step is the production of a final technical report with a “targeted improvement plan.”

“This plan will be a useful tool for organizations to make the case for more resources, for vital improvements and to track progress,” says Government Security Group Cyber Assurance and Engagement Lead Lucy Dobson.

Perhaps One Login needs more resources.  Perhaps it needs more time.  Perhaps it needs more focus.

Article Topics

cybersecurity  |  digital identity  |  GovAssure  |  government services  |  One Login  |  UK