https://identityassurance.blog.gov.uk/2014/11/07/using-mobile-phones-as-part-of-gov-uk-verify/

Using mobile phones as part of GOV.UK Verify

We've had some questions and comments this week about how mobile phones are used as part of GOV.UK Verify so thought it might be useful to write a short post about it.

In summary, you won't have to use a mobile phone to use GOV.UK Verify.

Identity providers have to meet published standards when they first verify someone's identity and in the way they authenticate of the person next time they want to access a service using GOV.UK Verify. We don't specify how the identity providers meet those standards, and we expect they will use a range of methods.

Identity providers have to include 2 steps to authenticate users - a secret known only to the user (eg a password), and another secret, communicated to the user through another channel. This is to protect against someone being able to steal the user's login credentials and pretend to be them.

The second step can be a code sent to a mobile phone (one of the more commonly used methods), or it can be another method such as a code communicated to you over your telephone landline, a gridcard or a hardware device similar to those used by some banks. We're expecting providers to give users a range of options. At least one provider is already planning to provide an alternative way for people who don't want to use a mobile phone when they authenticate. So if you want to use another method, other than a mobile phone, you'll be able to choose an identity provider that will enable you to do that.

 

 

6 comments

  1. Comment by Bernard posted on

    I’m glad to see alternatives to mobile phone based 2FA being offered by identity providers. The GOV.UK Verify service needs to meet users concerns, and there are some who a) don’t have a mobile phone, b) would rather not provide it. I’ve met a number of users, who have these concerns, when testing.

    Can you say who this provider is?

    • Replies to Bernard>

      Comment by Janet Hughes posted on

      Hi Bernard

      Thanks for your comment and question.

      This is one area where we expect the market to develop quite rapidly. At this stage we're aware of the following plans among the certified companies.

      Verizon is planning to offer users the ability to use email or phone landlines.

      Experian is planning to offer people the opportunity to use a software token that sits in the browser of their device. This does not rely on the individual using a mobile phone.

      Digidentity plans to offer the following methods:
      1. SMS
      2. Tome Based one-time passcode in their app
      3. Secure PIN in their app
      4. Fingerprint in their app (iOS only)
      5. Facial recognition in their app
      Non Mobile Phone:
      6. Yubikey one-time passcode (OTP) generator

      We've designed GOV.UK Verify so that people can choose the provider that most suits their needs, including the equipment they have available / want to use for their second authentication step. We'll carry on making information available through the service that will enable people to make informed choices.

  2. Comment by Ben posted on

    Having signed up with the postoffice (who only offer SMS 2FA it seems) how can I switch to a different provider that doesn't require SMS? (lousy mobile reception at home means SMS is a pain)

    • Replies to Ben>

      Comment by Rebecca Hales posted on

      Hi Ben, thanks for getting in touch

      Sorry you've been having trouble receiving your verification code due to poor mobile telephone reception.

      The first thing you should do is contact the certified company's user support service to see if they can help.

      If you are still unable to verify your identity using the original certified company you selected, you can try another. You can register with as many certified companies as you want on GOV.UK Verify and, equally, you can close your account with one if you want to.

  3. Comment by Kelly posted on

    I've got the verification code come through via text but I'm not sure what to do with it?

    • Replies to Kelly>

      Comment by Emily Ch'ng posted on

      Hi Kelly

      Apologies for the delay in replying. Can I please double check if the verification service you were using was Government Gateway or GOV.UK Verify?

      If you could also let me know if you received the code after requesting it to be sent to your phone as a part of 2-factor authentication that'd be great.

      Thanks

      Emily