Guidance

GOV.UK Verify: checks identity providers must perform

A summary of the checks identity providers must perform when verifying a user's identity for GOV.UK Verify at different levels of assurance.

Identity providers must perform a range of checks when verifying a user’s identity. The extent of these checks is determined by the level of assurance (eg LoA2, LoA3) required by the service the user wants to access. You can read more about the different levels of assurance in Good Practice Guide No. 45 (GPG 45).

The following checks must take place for LoA2 and LoA3 identities:

Diagram summarising the checks an identity provider must perform during the lifetime of a user's account.

The diagrams below summarise the requirements identity providers must meet. You can find more detailed information in GPG 45.

Registration checks

To register with an identity provider a user must provide their name, gender, address and date of birth. They may need to provide historical names and addresses if their details have changed recently.

The user will then need to provide the identity provider with at least 2 pieces of evidence that demonstrate they are the person they say they are, eg driving licence, bank account details. This evidence may be provided electronically or physically, and more evidence may be needed depending on the:

  • level of assurance the service requires
  • type of evidence the user is able to provide
  • solution the identity provider implements (providers can take different approaches as long as they meet the required standards)

The identity provider will then perform the following checks (in no specified order) for LoA2 and LoA3, to determine whether the evidence provided appears to be real and relates to the user.

Table explaining the different checks an identity provider must perform when a user registers for an LoA2 identity.

Classification of evidence

The evidence a user provides is scored on the strength of its identity properties (see Chapter 6 of GPG 45 for more information). It is also classified into 1 of the following categories:

  • Citizen
  • Money
  • Living

For each level of assurance there are different permissible combinations of categories and scores. These are shown in the table above (LoA2) and below (LoA3).

Annex A of GPG 45 provides more information about the classifications.

Table explaining the different checks an identity provider must perform when a user registers for an LoA3 identity.

Checks at points after registration

Identity providers must perform further checks for LoA2 and LoA3 identities after the user has registered for the service.

Diagram showing the checks an identity provider must perform for LoA2 identities by a set point after registration.
Diagram showing the checks an identity provider must perform for LoA3 identities by set points after registration.

Checks every time a user signs into a service

The identity provider must perform all of the following checks (in no specified order) for LoA2 and LoA3 every time a user signs into the service. The set period for each check is defined by the level of assurance the service requires.

Diagram showing the checks an identity provider must perform for LoA2 and LoA3 identities every time the user signs into a service.
Published 8 October 2014
Last updated 26 October 2017 + show all updates
  1. Removed statement "The service currently provides LoA2 only" as this is no longer true.
  2. First published.