GOV.UK Verify will protect you from someone else pretending to be you and fraudulently accessing sensitive records and services. This is increasingly important as it becomes possible for people to do more things entirely digitally (such as changing your personal details with a government service, claiming payments or accessing services).
When you want to access a service using GOV.UK Verify for the first time, you’ll be asked to choose from a list of certified companies (also known as ‘identity providers’ - they can actually be any type of organisation that is certified).
Your chosen certified company will ask you for some information and carry out some checks to establish, to a defined level of assurance, that you are who you say you are. Once you’ve done this once, your certified company will give you some sign-in credentials that you’ll be able to use to access an increasing range of government services. This post is about the types of information and checks the companies use to establish that it's really you when they verify your identity for the first time.
To verify your identity, certified companies have to look at a range of evidence and checks to establish that you are who you say you are - no single piece of evidence is sufficient. There are five elements involved, and the company has to achieve specific thresholds in each one before they can verify someone’s identity.
Certified companies have to work to published government standards when they verify your identity: Good Practice Guide 45 and the IPV Operations Manual. We’ve published a guide to the checks certified companies have to perform to summarise the requirements in the published standards.
The company has to get the your consent to access data sources such as credit reference agency data for the purposes of verifying your identity. The company can only use the data you provide for the purposes of verifying your identity - they can’t use it for any other purpose without your informed consent, and they have to process and store your data in accordance with data protection requirements.
Element A - capture evidence that the identity exists
The company will ask you to provide some evidence that demonstrates that your identity is real.
There are 3 categories of evidence - citizen, money and living. Different types of evidence are weighted according to how reliable and authoritative they are. So, for example, the fact that your name appears on the electoral roll is worth less than the fact that you have a UK passport or driver licence, reflecting how reliable each piece of evidence is in proving that your identity actually exists.
The certified company has to collect evidence of a sufficient weight across the citizen, money and living categories to achieve the required standards.
Element B - validating the evidence
The certified company has to establish that the evidence you've provided is valid, genuine or both, depending on the level of assurance required. ‘Valid’ means that the evidence matches a valid record held by the issuing body. ‘Genuine’ means that the evidence is real and is in the control or possession of the person who is asserting it.
To meet the requirements for element B, the identity provider can use the document checking service, or a similar commercial service, to check whether data asserted by a user is valid.
For example, if a person asserts the details of a payment card for element A, the company might establish it’s valid by checking with the issuing bank (or another reliable source) to see if the card matches a valid account, and / or it might establish it’s genuine by using a chip and pin device for the card. If a person asserts details from their driver licence or passport, the company can establish it is valid by using the document checking service.
Element C - establishing a link between the person and the identity
Having established that the identity exists, the company has to establish that the person asserting it is the owner of that identity.
They can do this through a range of methods. One commonly used method involves asking the person a range of questions it’s likely only they would know the answer to. The company can generate these questions from a range of data sources. These might include, for example, data they hold themselves (eg if they already know you because you have an existing relationship with them), data provided by another service provider, or credit reference agency data (if they do that, it won’t affect the person’s credit rating; only the person themselves will be able to tell that their credit reference agency file has been used in that way.)
Element D - counter fraud checks
The certified company has to establish that the identity is not known or likely to be false or stolen. They do this by assessing any signals that might indicate the identity is fraudulent, and by referring to data sources such as commercially available lists of known fraudulent identities or fraudulent documents.
Element E - activity history
The certified company has to establish that the identity has been active over a period of time. They can do this by finding evidence that the person has interacted with organisations like banks, utility companies, a mobile phone provider or another service provider. For example, if the person has paid a utility bill, a loan payment or a mortgage payment, that would qualify as an activity ‘event’. The provider has to find a sufficient number of events with a specified level of confidence they were generated by the person, to meet the required level of assurance.
Once they've completed these checks, the certified company can assure the service you want to use, through the GOV.UK Verify hub, that you are who you say you are. They won't share the data used to verify your identity with the government - only your name, address, date of birth and gender (if you chose to provide it). See Adam's post about how the technical architecture protects people's privacy for more information about how that works.
Where to find more information
If you’d like to know more about the standards the certified companies have to meet when verifying someone's identity, see the published Good Practice Guide, the IPV Operations Manual, and our guide to the checks identity providers have to perform.
8 comments
Comment by Lesley Kendall posted on
My husband and i pay all our utility bills through joint bank accounts. His is the first name on the accounts. Will this make it more difficult for me to verify my identity?
Comment by Rebecca Hales posted on
Hi Lesley, thank-you for your message.
Certified companies have to work to published government standards when they verify your identity. To do this, they have to look at a range of evidence and checks to establish that you are who you say you are – no single piece of evidence is sufficient. Therefore, we may still be able to verify you based on other evidence, even if you are not the named bill payer.
Comment by John Bib posted on
Is it true that I need to provide a mobile phone number to verify my identity?
Comment by Rebecca Hales posted on
Hi John
All current certified companies use two-step verification via a mobile phone registered in the UK to the requesting user. We recognise that for some people this is an issue and are working towards a solution to get around this. We hope to have that in place later in the year.
For certain services we have very recently introduced alternatives. If you return to the service you're trying to access, go back through the GOV.UK Verify path and on the page where you choose a certified company, you should see a link for users who do not have a mobile phone.
Comment by Fiona Summers-Smith posted on
this is not true. I have for several years used the Gov.uk gateway to submit my tax returns and in January I set up making payments for my tax. Today I signed in with my password and I am now prevented from going any further because I have to enter a mobile phone number. I don't have a mobile phone so now I am blocked from using a service I have been using for years. Whoever was in charge of testing this should be sacked. I now have to revert to writing to the tax office and submitting my self assessment by post after at least 3 years of doing it online. Call yourselves professionals?
Comment by Rebecca Hales posted on
Thank-you for your message, Fiona.
Sorry you've had a frustrating experience.
GOV.UK Verify does offer options for users without mobile telephones. If you are unable to receive a security code via a mobile (due to lack of device or reception), some of our certified companies can send it by landline, tablet or app.
The Government Gateway service to which you're referring does require you to have a mobile telephone. You may wish to contact HMRC with your feedback here: https://www.gov.uk/contact-hmrc
Comment by G. Sly posted on
I can no longer get into Government Gateway even though I've had an account for several years.
It seems to be impossible to get a GOV.UK Verify account without a photocard Driving License or Passport, so that's useless to me.
What's the point in extra security if it makes access impossible for legitimate users?
Comment by Emily Ch'ng posted on
I'm sorry to hear you've had difficulties. You may still be able to use GOV.UK Verify. One of the certified companies introduced a new method of verification meaning that if you have a bank account and a credit or debit card, you can now verify your identity without either a passport or driving licence.
If you return to the service, go back through the GOV.UK Verify path and select 'no' when asked if you have a driving licence or passport, you should be able to choose a certified company that may be able to verify you. If you choose that company, you will be provided with a list of requirements needed for them to verify you and you should be able to proceed from there.
GOV.UK Verify is being constantly developed and improved based on user feedback. We’re continuing to work with certified companies and investigating alternative sources of data to overcome this problem.