External security tests on the government’s digital identity system, Gov.uk One Login, have revealed serious vulnerabilities. In March, a red teaming exercise by Cyberis showed that privileged access to One Login could be compromised without detection by existing security tools.
Red teaming simulates cyberattack tactics to assess how well a system can detect and respond to breaches. The Department for Science, Innovation and Technology (DSIT) has asked Computer Weekly to withhold details while the Government Digital Service (GDS) works on fixes.
This kind of vulnerability risks exposing personal data and software code to cybercriminals. A government spokesperson stated that red teaming is part of routine security practices, stressing that they address issues promptly when found.
Concerns over One Login’s security have grown, especially since six million people rely on it to access over 50 government services. Recent reports revealed that the Cabinet Office and the National Cyber Security Centre (NCSC) had warned GDS about significant data protection failings as far back as November 2022 and September 2023.
GDS dismissed these concerns as outdated, claiming they stemmed from the system’s early days. They stated that multiple independent assessments show progress in addressing previous issues.
Security concerns about One Login surfaced back in July 2022 from a whistleblower, highlighting risks tied to system administration conducted from non-compliant devices. The NCSC recommends using dedicated devices, known as privileged access workstations (PAWs), for managing key government services. The whistleblower flagged a lack of PAWs as a serious risk.
Despite improvements, One Login still doesn’t fully meet NCSC guidelines, complying with only 21 of the 39 necessary outcomes—a leap from just five last year. The development team also struggles to implement the government’s Secure by Design practices despite claims of compliance.
Recently, One Login lost certification against the government’s own trust framework after a key supplier let it lapse, removing it from the official accreditation scheme. DSIT’s Peter Kyle recently emphasized the future role of One Login in the upcoming Gov.uk Wallet, which will deliver digital versions of crucial documents like driving licenses.
Kyle highlighted the urgent need for safe and secure digital identity services. A government spokesperson reiterated that One Login adheres to the highest security standards, including around-the-clock monitoring and incident response.
Parliament has raised questions about One Login’s security. Liberal Democrat peer Tim Clement-Jones and Conservative peer Simone Finn have sought reassurances from DSIT. Finn inquired about the likelihood and impact of insider threats, while DSIT minister Maggie Jones stated that the One Login team collaborates closely with the NCSC to mitigate these risks.
Clement-Jones pressed for steps being taken to address ongoing security issues. Jones assured that One Login employs layered security controls and adheres to best practices to protect sensitive data.
Clement-Jones expressed concern, questioning how such a critical system could fall short of standards, especially with its role in immigration controls.
