The government faces questions about whether the system underpinning its digital ID plans can be trusted to keep people's personal data secure.
The digital ID will be available to all UK citizens and legal residents, but will only be required for employment., according to government proposals.
Full details of how the system will work have yet to be announced, but Prime Minister Sir Keir Starmer insists it will “have safety at its core”.
It will be based on two government systems – Gov.uk One Login and Gov.uk Wallet.
One entrance is a single account for accessing government services online that the government says more than 12 million people have already signed up for.
It could reach 20 million by this time next year as people registering as company directors will be required to verify their identity through a single sign-on. from November 18.
UK State Purse has not yet launched, but it could eventually allow citizens to store their digital IDs, including name, date of birth, citizenship and residency status, and photo, on their smartphones.
To access the wallet, users will need a single Gov.UK login.
Last month, the government launched a digital ID for military veterans. check the concept.
The government hopes to avoid security concerns by storing personal data that can be accessed through single sign-on within individual government departments rather than in a single centralized database.
But veteran civil liberties campaigner and Conservative MP David Davis has raised concerns about potential flaws in the design and implementation of One Login, which he says could make it (and the new digital identity scheme) vulnerable to hackers.
Speaking at a Westminster Hall debate earlier this month, he said: “When this system comes into force, all the data of the entire population will be open to malicious actors – foreign nations, ransomware criminals, malicious hackers and even their own personal or political enemies.
“As a result, it will be worse than Horizon.” [Post Office] scandal.”
Davis wrote to the expenditure service of the State Control calling for an “urgent” investigation into the cost of One Login, which he said was likely to exceed the £305 million already committed to it.
In his letter, the MP highlights a 2022 incident in which it was revealed that the One Login system was being developed on unsecured workstations by contractors without the required security clearance in Romania.
Davis also notes that One Login does not meet government requirements to be classified as a secure and trusted identity provider.
The government accused the supplier of allowing Trust Framework for Digital Identity and Attributes the certificate expires early this year and says it is working to reinstate it, which will happen “immediately.”
In addition, the Liberal Democrats' technology spokesman Lord Clement-Jones questioned whether One Login met the standards of the National Cyber Security Centre.
A colleague says he has spoken to a whistleblower who claims the government missed the 2025 deadline set in its law. national cybersecurity strategy to protect “critical” systems from cyber attacks.
Ministers deny this, but a Lib Dem peer said an official told him One Login would not pass the required security tests until March 2026.
The whistleblower also recounted an incident in March this year in which a so-called “red team” tasked with simulating a real-life cyber attack was reportedly able to gain privileged access to One Login's systems.
The Department of Science, Innovation and Technology (DSIT) says it cannot provide details of the red team exercise for security reasons, but says claims its systems were infiltrated undetected are false.
DSIT officials also assured Lord Clement-Jones that the subcontractors in Romania were “a handful of people”, none of whom had access to production, “and all the code was reviewed”.
The department says all members of the team working on One Login use “corporate-managed” devices that are monitored by the security team to detect any malicious activity.
However, Lord Clement-Jones told the BBC he was not convinced by the department's assurances.
He said the track record of successive governments on One Login and other systems “should give us no confidence at all that a new mandatory digital ID that will build on them will keep our personal data secure and meet the highest cybersecurity standards.”
Last week, the Prime Minister handed over overall control of the digital ID scheme to the Cabinet Office, led by one of his most trusted and senior ministers, Darren Jones, reflecting its importance to the Government.
But the State Digital Service, part of DSIT, will retain responsibility for the development of the project.
A DSIT spokesperson said: “Gov.UK One Login continues to provide services to citizens across the UK.
“One Login currently contains over 100 services and is used by over 12 million people, representing almost a sixth of the UK population.
“One Login meets the highest security standards used in government and the private sector and is fully compliant with UK data protection and privacy laws.
“The system undergoes regular security audits and testing, including by independent third parties, to ensure that security remains strong and up to date.”
