GOV.UK Verify will protect you from someone else pretending to be you and fraudulently accessing sensitive records and services. This is increasingly important as it becomes possible for people to do more things entirely digitally (such as changing your personal details with a government service, claiming payments or accessing services).
When you want to access a service using GOV.UK Verify for the first time, you’ll be asked to choose from a list of certified companies (also known as ‘identity providers’ - they can actually be any type of organisation that is certified).
Your chosen certified company will ask you for some information and carry out some checks to establish, to a defined level of assurance, that you are who you say you are. Once you’ve done this once, your certified company will give you some sign-in credentials that you’ll be able to use to access an increasing range of government services. This post is about the types of information and checks the companies use to establish that it's really you when they verify your identity for the first time.
To verify your identity, certified companies have to look at a range of evidence and checks to establish that you are who you say you are - no single piece of evidence is sufficient. There are five elements involved, and the company has to achieve specific thresholds in each one before they can verify someone’s identity.
Certified companies have to work to published government standards when they verify your identity: Good Practice Guide 45 and the IPV Operations Manual. We’ve published a guide to the checks certified companies have to perform to summarise the requirements in the published standards.
The company has to get the your consent to access data sources such as credit reference agency data for the purposes of verifying your identity. The company can only use the data you provide for the purposes of verifying your identity - they can’t use it for any other purpose without your informed consent, and they have to process and store your data in accordance with data protection requirements.
Element A - capture evidence that the identity exists
The company will ask you to provide some evidence that demonstrates that your identity is real.
There are 3 categories of evidence - citizen, money and living. Different types of evidence are weighted according to how reliable and authoritative they are. So, for example, the fact that your name appears on the electoral roll is worth less than the fact that you have a UK passport or driver licence, reflecting how reliable each piece of evidence is in proving that your identity actually exists.
The certified company has to collect evidence of a sufficient weight across the citizen, money and living categories to achieve the required standards.
Element B - validating the evidence
The certified company has to establish that the evidence you've provided is valid, genuine or both, depending on the level of assurance required. ‘Valid’ means that the evidence matches a valid record held by the issuing body. ‘Genuine’ means that the evidence is real and is in the control or possession of the person who is asserting it.
To meet the requirements for element B, the identity provider can use the document checking service, or a similar commercial service, to check whether data asserted by a user is valid.
For example, if a person asserts the details of a payment card for element A, the company might establish it’s valid by checking with the issuing bank (or another reliable source) to see if the card matches a valid account, and / or it might establish it’s genuine by using a chip and pin device for the card. If a person asserts details from their driver licence or passport, the company can establish it is valid by using the document checking service.
Element C - establishing a link between the person and the identity
Having established that the identity exists, the company has to establish that the person asserting it is the owner of that identity.
They can do this through a range of methods. One commonly used method involves asking the person a range of questions it’s likely only they would know the answer to. The company can generate these questions from a range of data sources. These might include, for example, data they hold themselves (eg if they already know you because you have an existing relationship with them), data provided by another service provider, or credit reference agency data (if they do that, it won’t affect the person’s credit rating; only the person themselves will be able to tell that their credit reference agency file has been used in that way.)
Element D - counter fraud checks
The certified company has to establish that the identity is not known or likely to be false or stolen. They do this by assessing any signals that might indicate the identity is fraudulent, and by referring to data sources such as commercially available lists of known fraudulent identities or fraudulent documents.
Element E - activity history
The certified company has to establish that the identity has been active over a period of time. They can do this by finding evidence that the person has interacted with organisations like banks, utility companies, a mobile phone provider or another service provider. For example, if the person has paid a utility bill, a loan payment or a mortgage payment, that would qualify as an activity ‘event’. The provider has to find a sufficient number of events with a specified level of confidence they were generated by the person, to meet the required level of assurance.
Once they've completed these checks, the certified company can assure the service you want to use, through the GOV.UK Verify hub, that you are who you say you are. They won't share the data used to verify your identity with the government - only your name, address, date of birth and gender (if you chose to provide it). See Adam's post about how the technical architecture protects people's privacy for more information about how that works.
Where to find more information
If you’d like to know more about the standards the certified companies have to meet when verifying someone's identity, see the published Good Practice Guide, the IPV Operations Manual, and our guide to the checks identity providers have to perform.