Guidance

Data taxonomy, data model and data dictionary for GPG 44

Published 3 March 2026

Introduction

This specification describes the data taxonomy, data model and data dictionary for the ‘How to use authenticators to protect an online service’ guidance, also known as Good Practice Guide (GPG) 44, a supporting document for the UK digital verification services trust framework.

The data taxonomy provides a description of the hierarchy and classification of data for GPG 44.

The data model provides a description of the data element name, any relevant sub-elements and the data type.

The data dictionary is a collection of names, definitions, and attributes about data elements and sub-elements relating to GPG 44.

Data taxonomy

This section describes the data taxonomy for GPG 44.

This taxonomy provides a standardised terminology for describing GPG 44 data, setting out the types of data and elements it covers and defining the names of the data elements.

The GPG 44 taxonomy includes titles and descriptions for the following areas:

• Authenticator type

• Authenticator quality

• Authenticator protection

Authenticator type

An authenticator is a tool that enables a user to sign into a service that they have previously accessed. There are different types of authenticators including:

• Something the user knows

• Something the user has

• Something the user is

• Multifactor authentication: a service can be protected using a combination of authenticators.

Authenticator quality

The quality of an authenticator is defined by how secure it is.

Authenticator protection

An authenticator can protect a service from being accessed by someone who should not be able to use it. How much protection your service needs depends on:

• what information the user needs to use the service

• what information the service gives the user access to

• what the service or user can do with that information

Data model

The data model provides a description of the data element name, the relevant sub-elements and the data type.

Overview

This nested view shows the relationship between elements and their sub‑elements.

authentication

    authenticator_protection: string
    multifactor: string
    monitoring: string
    authenticators: array (authenticator)

An authenticator is defined as:

authenticator

    authenticator_type: string
    authenticator_quality: string

Data dictionary

The data dictionary explains what the data elements mean and provides a common language and understanding for the relevant standards and format.

Table D1: Data elements - description and value type

Data element	Description
authenticator_protection	Level of protection achieved according to GPG 44
multifactor	The number of factors used in the authentication (integer)
monitoring	Whether monitoring is being performed (yes/no)
authenticator_type	The type of authenticator according to GPG 44
authenticator_quality	The quality of the authenticator according to GPG 44

Table V1: Predefined values - definitions

Predefined value	Definition
pin	A numeric / alpha-numeric passcode used in the process of authenticating
password	A set of letters, digits, or other symbols only known by the user that are used in the process of authenticating
kbv	An answer to a question that only the user knows the answer to
physical_token	A security key held in a physical device that is presented by the user, for example a chipped card
digital_token	A security key held in a physical device that is presented by the user, for example a chipped card
biometric	A measurement of someone’s biological or behavioural characteristics used to authenticate them

Predefined lists

Table L1: Predefined lists - allowed values

Predefined list	Allowed values	Notes
authenticator_type	pin, password, kbv, physical_token, digital_token, biometric	—
authenticator_quality	low, medium, high	levels from GPG 44
authenticator_protection	low, medium, high, very_high	levels from GPG 44