Checking users’ identities
You can use GOV.UK One Login to let users prove their identity, as well as signing users in.
Users will prove their identity once. They can reuse this proof to access other services that use GOV.UK One Login. This saves them time and effort.
We currently provide a medium level of confidence
Our current journeys will give you a medium level of confidence in the user’s identity, as defined by the government guidance on how to prove and verify someone’s identity (‘GPG 45’).
It means using our identity checks will lower the risk of you accepting:
- completely made-up or ‘synthetic’ identities
- imposters who do not have a relationship with the claimed identity - for example, someone who has found the claimed identity’s information on social media
- imposters who have information about the claimed identity that’s not in the public domain, for example, someone who works for the claimed identity’s employer’s HR department using information they have got to impersonate the claimed identity
We plan to offer low and high levels of confidence in the future.
Deciding if this level is right for your service
To decide if this level of confidence is right for your service, you need to:
- identify the risks to your service
- check if having medium level of confidence in your users' identities will mitigate them
- consider how this will work with your users' needs
We know this is a complex area. We expect that most services will need to speak to us to confirm whether ‘medium’ is the right choice.
Our onboarding team is ready to answer your questions and work it out with you. You can get in touch using our support form or Slack channel.
Identity data your service can get about your users
User attributes
If a user successfully proves their identity, you’ll always receive the following core identity information about them:
- their name
- date of birth
- the level of identity confidence
You can also ask for:
- postal addresses for the last 3 years (we check that addresses are genuine and if they’re associated with fraudulent activity)
- passport details, if the user proved their identity using their passport
- driving licence details, if the user proved their identity using their driving licence
We may ask you to provide a reason for requesting these pieces of information, so we can avoid unnecessary data sharing.
This is in addition to the data you’ll get from the ‘sign in’ part of GOV.UK One Login, which is:
- a unique identifier
- an email address
- a mobile phone number, if the user set up two-factor authentication using their mobile phone number
If there’s any other data your service needs - get in touch to talk to us about it.
Audit and fraud data
If an identity has shown evidence of being fraudulent, we can provide more information about that user to you.
Find out more
Read the technical documentation to see how to integrate with the identity checking part of GOV.UK One Login.