188体育

Checking a user鈥檚 identity is known as 鈥榠dentity assurance鈥�. It tells you how likely it is that:

• the person the user is claiming to be is real
• the user is the person they鈥檙e claiming to be

If your service needs to know either of these things, you鈥檒l probably need to check your users鈥� identities. This can help you find out if your users are:

• eligible to use your service
• allowed to access any data the government holds about them

Checking a user鈥檚 identity online is usually the quickest and most convenient way for them to prove who they are.

Find out what checks you need to do to prove and verify someone鈥檚 identity.

Authentication

Identity assurance is different from 鈥榓uthentication鈥�, which is about how a user signs in to something. A user can usually do this without proving who they really are.

A user should provide multiple 鈥榓uthenticators鈥� (Multi-Factor Authentication) to sign in to a service, for example a password and a code sent to their mobile phone.

Find out which authenticators you should use to protect your service.

You can also use an authentication pattern like a user account if you need to recognise that a user has used your service before. Read about in the 188体育 Design System.

How identity assurance can help your service

Checking users鈥� eligibility

You cannot usually tell if someone鈥檚 eligible to use your service just by checking their identity. But you can combine identity checks with other proof a user provides if you need a high level of confidence they鈥檙e telling the truth.

Most services check whether people are eligible to use a service by asking them for information about themselves. Sometimes it鈥檚 okay to simply accept what the user tells you, but if you need to be more confident you can ask for evidence to back up the information they鈥檝e given.

Asking for evidence helps prevent ineligible users from accessing your service by providing false information. For example, asking for a payslip as proof of how much someone earns means you can check if their income is below a certain threshold.

Identity assurance can help you be sure the user has actually given you evidence that鈥檚 about them, not about someone else who might also be eligible. Do this if you need to be confident a user is not:

• using a synthetic or made up identity that would be eligible to access your service
• impersonating someone else who is eligible

How confident you need to be in the user鈥檚 identity depends on how much risk your service can accept. For example, you might accept more risk if your service provides users with something of relatively low value. You might accept less risk if you offer something of high value that might be more likely to be targeted by fraudsters, such as money or a licence.

There are other ways to check users鈥� eligibility. For example, you could check if information about the user . This will give you an idea if the user is who they say they are, but it will not prove their identity.

Letting users access data

You must protect data you hold about users. Remember that a cyber criminal might use even basic data they can get from your service to commit a more sophisticated attack elsewhere.

Government services must follow the approach outlined in the to build identity and access management capabilities that are proportionate to the associated risks.

Check a user鈥檚 identity before you let them access data, even if it is something they already have permission to access. For example, users need to prove their identity before they can view their tax records using their personal tax account.

This does not include data users save in an application form they鈥檙e planning to return to later - use a instead.

You can also let users share data without conducting further checks on the people or organisations they share it with. For example, the Driver and Vehicle Licensing Agency (DVLA) lets third parties view a person鈥檚 driving licence information if they have a 鈥榗heck code鈥� from that person giving them permission.

Under the General Data Protection Regulation (GDPR), you need to be sure your service is collecting and sharing this information under the right legal basis. You鈥檒l also need to check the identity of the person giving permission to make sure they鈥檙e the same person the data relates to.

Letting users make legal agreements online

Ink signatures can prove a particular person agrees to, authorises or confirms something. That person will usually have to prove their identity before they sign anything.

If you check someone鈥檚 identity online, you might also be able to accept an electronic signature. These can replace ink signatures as a way to show that the user agrees to something online.

Read the guidance about electronic signatures to find out how you can use them in your service.

Using electronic signatures can help your service meet the electronic identification and trust services (eIDAS) regulation. An electronic signature will usually give you a 鈥榣ow鈥� level of assurance that the user is who they say they are. If you want to meet a 鈥榮ubstantial鈥� or 鈥榟igh鈥� level of assurance, you might need to first.

You can check identity at any point in your service - not just when the user applies

You can do identity checks at any point in your service - when users first apply, after they鈥檝e applied or at the end of a user鈥檚 interaction with you.

When you should check depends on what your service does and how much risk you are willing to accept.

For example, if your service needs to pay money to a user, you need to be sure the money will go to the right account before you make the payment. You could check the user鈥檚 identity and match their details with the details of the person the bank account is registered to.

You might not need to check a user鈥檚 identity before they use your service, but might need to eventually know they are who they say they are. You can build up confidence in a user鈥檚 identity over time at the different points that they naturally interact with your service.

Levels of assurance

Some products and services will check identities to a certain level of assurance (LOA).

Although different identity checking products and services describe their LOAs in different ways, the LOA will usually depend on:

• how much confidence the product or service has in the identity of its users (which depends on how it asks users to prove their identities)
• the quality of the authenticator that users need to sign in

You must choose an LOA that鈥檚 right for your service.

Different parts of your service might need a different LOA. For example, a service might need to be less confident that a user is who they say they are when they create an account, but more confident when that user decides they want to apply for something.

In this case, the service could use a lower LOA during the registration process, and increase it when the user starts their application.