Guidance

How to use authenticators to protect an online service (1.0)

This guidance, also known as Good Practice Guide (GPG) 44, will help you choose an authenticator that will give you the level of protection that’s most suitable for users accessing your service.

• From: Office for Digital Identities and Attributes and Department for Science, Innovation and Technology
• Published: 3 March 2026
• Last updated: 9 June 2026 — See all updates

Documents

How to use authenticators to protect an online service (1.0)

HTML

Details

This guidance, also known as Good Practice Guide (GPG) 44, will help you choose an authenticator that will give you the level of protection that’s most suitable for users accessing your service. It describes a methodology for assessing the level of protection achieved by authenticators of different types and of different quality.

This 1.0 publication of GPG 44 is valid from the date the 1.0 publication of the UK digital verification services trust framework (‘trust framework’) comes into force.

Services demonstrating compliance with GPG 44 as part of certification against the 1.0 trust framework will have to comply with this version of GPG 44.

This is the first version-controlled publication of GPG 44. The most recent non-numbered version of GPG 44 (titled ‘Using authenticators to protect an online service’) can be found on GOV.UK and is, from the date of this publication, to be considered as the 0.4 version of GPG 44.

Published 3 March 2026

Last updated 9 June 2026 — Show all updates

1. 9 June 2026

   The publication has been updated to reflect that it is now in its final release, rather than in pre-release.

2. 6 March 2026

   Fixing and adding links, and rectifying formatting issues.

3. 3 March 2026

   First published.