The government is facing questions over whether the system at the heart of its plans for digital ID can be trusted to keep people’s personal data secure.
Digital ID will be made available to all UK citizens and legal residents but will only be mandatory for employment, under the government’s proposals.
Full details of how the system will work have yet to be announced but Prime Minister Sir Keir Starmer has insisted it “will have security at its core”.
It will be based on two government-built systems – Gov.uk One Login and Gov.uk Wallet.
One Login is a single account for accessing public services online, which the government says more than 12 million people have already signed up to.
By this time next year that might be as many as 20 million, as people registering as company directors will have to verify their identity through One Login from 18 November.
Gov.UK Wallet has not yet been launched but it could eventually allow citizens to store their digital ID – including name, date of birth, nationality and residence status, and a photo – on their smartphones.
Users will need a Gov.UK One Login to access the wallet.
Last month, the government launched a digital identity card for military veterans to test the concept.
The government hopes to avoid security issues by keeping the personal details to be accessed through One Login in individual government departments rather than in a single, centralised database.
But veteran civil liberties campaigner and Conservative MP David Davis has raised concerns about potential flaws in the design and implementation of One Login that he says could leave it – and the new digital ID scheme – vulnerable to hackers.
Speaking in a Westminster Hall debate earlier this month, he said: “What will happen when this system comes into effect is that the entire population’s entire data will be open to malevolent actors – foreign nations, ransomware criminals, malevolent hackers and even their own personal or political enemies.
“As a result, this will be worse than the Horizon [Post Office] scandal.”
Davis has written to spending watchdog the National Audit Office calling for an “urgent” investigation into the cost of One Login, which he says is certain to rise above the £305m already earmarked for it.
In his letter, the MP highlights a 2022 incident, in which it was found that the One Login system was being developed on unsecured workstations by contractors without the required security clearance in Romania.
Davis also points out that One Login does not meet the government’s own requirements to be classified as a safe and trusted identity supplier.
The government has blamed a supplier for allowing its Digital Identity and Attributes Trust Framework certification to lapse earlier this year and says it is working towards it being restored, which will happen “imminently”.
Separately, Liberal Democrat technology spokesman Lord Clement-Jones has questioned whether One Login meets National Cyber Security Centre standards.
The peer says he has been speaking to a whistleblower, who claims that the government has missed the 2025 deadline set out in its national cyber security strategy for hardening “critical” systems against cyber attacks.
Ministers deny this but the Lib Dem peer said he had been told by an official that One Login would not pass the required security tests until March 2026.
The whistleblower also highlighted an incident from March this year, when a so-called “red team” tasked with simulating a real life cyber attack was reportedly able to gain privileged access to One Login systems.
The Department for Science, Innovation and Technology (DSIT) says it is unable to give details of the red team exercise for security reasons but says claims that its systems were penetrated without detection are false.
DSIT officials also assured Lord Clement-Jones that the subcontractors in Romania were “a handful of people” none of whom had access to production “and all code was checked”.
The department says all members of the team working on One Login use “corporately managed” devices which are monitored by a security team to detect any malicious activity.
But Lord Clement-Jones told the BBC he was not convinced by the department’s assurances.
He said the track record of successive governments of running One Login and other systems “should give us all no confidence at all that the new compulsory digital ID, which will be based on them, will ensure that our personal data is safe and will meet the highest cybersecurity standards”.
Last week, the prime minister handed overall control of the digital ID scheme to the Cabinet Office, which is headed by one of his most trusted and senior ministers Darren Jones, reflecting its importance to the government.
But the Government Digital Service, which is part of DSIT, will retain responsibility for design of the project.
A DSIT spokesperson said: “Gov.UK One Login continues to deliver for citizens across the UK.
“One Login is now home to more than 100 services and has been used by more than 12 million people – representing almost a sixth of the UK population.
“One Login follows the highest security standards used across government and the private sector and is fully compliant with UK data protection and privacy laws.
“The system undergoes regular security reviews and testing, including by independent third-parties, to ensure security remains strong and up to date.”
