Guidance

How to prove and verify someone's identity

Good Practice Guide (GPG) 45 helps you decide how to check someone's identity.

Documents

Details

This guidance will help you decide how to check someone’s identity. Some existing identity checking services already follow this guidance.

This guidance was written by Government Digital Service (GDS) with help from organisations across the public and private sectors. Key contributors include:

  • Department for Work and Pensions (DWP)
  • Driver and Vehicle Licensing Agency (DVLA)
  • HM Revenue and Customs (HMRC)
  • Home Office
  • Ministry of Defence (MoD)
  • National Cyber Security Centre (NCSC)
  • Barclays
  • Digidentity
  • Experian
  • IDEMIA
  • Post Office

This guidance aligns with these international standards and regulations:

This guidance does not explain the practical ways you can check someone’s identity. You’ll need to decide what tools or processes you want to use based on what’s appropriate for your service. For example, you might decide to accept a passport as evidence of someone’s identity if you know:

  • the users of your service are likely to have a passport
  • staff in your organisation have equipment they need to check the document effectively

One of the ways you can follow this guidance to check someone’s identity is by using GOV.UK Verify in your service.

Published 6 January 2014
Last updated 11 February 2021 + show all updates
  1. The 'Check if the claimed identity is at high risk of identity fraud' and 'Check that the identity belongs to the person who’s claiming it' sections have been updated. They now include more guidance about what extra checks you can do if you find a claimed identity that's at high risk of identity fraud or suspected to be a synthetic identity.

  2. The guidance has been split into 2 parts. The identity profiles are now separate from the rest of the guidance to make it easier for users to find the profile they need. New identity profiles have been added to give users more choice in how they combine the different parts of the identity checking process. Some of the 'very high' profiles have been removed as very few organisations or services would actually need that much confidence in someone's identity. The way 'activity' checks are scored has changed. There's no longer a requirement to know if the type of interactions are typical of that person. These checks are also now called 'activity history' checks. Different quality knowledge-based verification (KBV) challenges can now be combined to get a score of 2 for 'verification'. This means there are more ways to use KBV to link a person to a claimed identity.

  3. The guidance has been given a more active title. The 'Get evidence of the claimed identity' section now includes some information about what to do if a piece of evidence contains transposition errors. The 'Check the evidence is genuine or valid' section now explains that digital evidence will always get at least a score of 2. In the same section, the requirements needed for evidence that contains digital information have been updated to take into account things like information found in databases. The guidance about identity profiles has been updated to clarify that you do not need to add up the individual scores within a profile to come up with a total.

  4. The definition of valid has been updated in the 'Check the evidence is genuine or valid' section. Checking a piece of evidence has not expired, cancelled or been reported as lost or stolen used to be things you could do as part of the 'valid' check. These are now listed as separate checks. It's now clearer that you do not need to check if a piece of evidence has been cancelled, lost or stolen to get a score of 2 or 3.

  5. The guidance has been rewritten in plain English so it's easy for both technical and non-technical users to understand. The annexes from the previous version have been removed and the information from them added to the guidance. Examples of how checks can be done have been added throughout the guidance. Information about checking someone's biometric information has been added to the 'Check that the identity belongs to the person who’s claiming it (‘verification’)' section. The 'Identity profiles' section has been expanded. The new identity profiles will make it easier to check the identities of users who do not have much evidence of their identity.

  6. Replaced the old version of Good Practice Guide 45 (version 2.3) with the latest version of the Good Practice Guide 45 (version 3).

  7. New version of the guide published.

  8. First published.