One trust question for GOV.UK One Login answered, another raised

Alarming questions about the trustworthiness of the GOV.UK One Login system at the heart of the UK’s plans for a national digital ID are arising as fast as they are answered. The government’s app may soon be certified to its own trust framework, but it is also the preferred method for people controlling companies to verify their identity before next month’s deadline.

Unsecured dev workstations at its core

PM Keir Starmer said during the announcement that the system will have “security at its core,” but risk assessment professionals from the UK civil service discovered contractors in Romania working on the digital ID’s development on unsecured workstations, The Telegraph reports.

This is how a red team from Cyberis was able to take control of One Login’s codebase in a March incident revealed in May.

The team reported the situation to the Government Digital Service (GDS), which reacted by disbanding the risk assessment team. The Telegraph suggests the developer arrangement is usual behavior, as GDS does not have a constant pool of privileged access workstations.

The Department for Science, Innovation and Technology (DSIT) told The Telegraph it has a robust device management policy, and requires the One Login team to use GDS-managed devices “monitored by a central security team to detect any malicious activity.”

GDS’ move from the Cabinet Office to DSIT, meanwhile, remains ongoing, with some staff reportedly using multiple laptops.

The incident highlights what some providers certified under the Digital Identity and Attributes Trust Framework (DIATF) have been saying all along: the public will not trust a system in which they are forced to use software developed by the government.

Recertification coming soon

GOV.UK One Login lost its certification under DIATF when its biometric technology supplier iProov allowed its certification to lapse earlier this year. iProov, which works with subcontractors Veriff and Inverid on One Login, said at the time it had allowed the certification to lapse following a standard review, but would recertify.

The company is now close to doing so.

“We can confirm that iProov has met all requirements of the audit for recertification under the UK Digital Identity and Attributes Framework (DIATF),” an iProov representative told Biometric Update in an email. “The successful completion of this audit demonstrates our ongoing commitment to meeting the highest standards of security, privacy, and interoperability required by the UK government. We look forward to the certificate being formally reissued shortly.”

Companies House

Details about how that will work are trickling out of Companies House ahead of the November 18 deadline for new directors to complete identity verification to make their appointment or incorporation of a new company official.

The free “Verify your identity for Companies House” service consists of three options for identity verification: an app, online security questions or the submission of details from a photo ID through GOV.UK One Login, followed by a visit to a participating Post Office for those who need extra support. Those processes that are not carried out directly through GOV.UK One Login must be completed with an “Authorised Corporate Service Provider.”

The process usually takes minutes, Companies House says in a blog post, with ID document checks on the GOV.UK app averaging less than two and a half minutes.

Directors and people with significant control (PSCs) can get help from someone they trust to complete their verification, or use someone else’s device. Companies House also notes the GOV.UK One Login customer service center and technical service desk.

Passports verification through the GOV.UK One Login app is the easiest, according to Companies House.

Article Topics

Companies House  |  Department for Science Innovation and Technology (DSIT)  |  DIATF certification  |  digital company ID  |  digital ID  |  digital identity  |  Gov.UK  |  iProov  |  One Login  |  UK digital ID