Identity providers must perform a range of checks when verifying a user’s identity. The extent of these checks is determined by the level of assurance (eg LoA2, LoA3) required by the service the user wants to access. You can read more about the different levels of assurance in Good Practice Guide No. 45 (GPG 45).
The service currently provides LoA2 only.
The following checks must take place for LoA2 and LoA3 identities:
- at the point the user registers with the identity provider
- at points after the user has registered
- every time the user signs into a service with the identity provider to access a government service
The diagrams below summarise the requirements identity providers must meet. You can find more detailed information in GPG 45.
Registration checks
To register with an identity provider a user must provide their name, gender, address and date of birth. They may need to provide historical names and addresses if their details have changed recently.
The user will then need to provide the identity provider with at least 2 pieces of evidence that demonstrate they are the person they say they are, eg driving licence, bank account details. This evidence may be provided electronically or physically, and more evidence may be needed depending on the:
- level of assurance the service requires
- type of evidence the user is able to provide
- solution the identity provider implements (providers can take different approaches as long as they meet the required standards)
The identity provider will then perform the following checks (in no specified order) for LoA2 and LoA3, to determine whether the evidence provided appears to be real and relates to the user.
Classification of evidence
The evidence a user provides is scored on the strength of its identity properties (see Chapter 6 of GPG 45 for more information). It is also classified into 1 of the following categories:
- Citizen
- Money
- Living
For each level of assurance there are different permissible combinations of categories and scores. These are shown in the table above (LoA2) and below (LoA3).
Annex A of GPG 45 provides more information about the classifications.
Checks at points after registration
Identity providers must perform further checks for LoA2 and LoA3 identities after the user has registered for the service.
Checks every time a user signs into a service
The identity provider must perform all of the following checks (in no specified order) for LoA2 and LoA3 every time a user signs into the service. The set period for each check is defined by the level of assurance the service requires.
