The Government has just announced its digital identity checks for Companies House will go live on 18 November, affecting up to 7 million people over the next year. But while the aim is to improve transparency and tackle fraud, the system behind it is raising security concerns.
The rollout depends on ‘GOV.UK One Login’, a system that one commentator argues is still not fully compliant with the government’s own cyber security standards. It has yet to implement Secure by Design principles, and recent assessments revealed risks including overseas admin access, insecure logins to live environments, and over half a million unresolved vulnerabilities.
Sensitive identity data will soon be flowing through a system that lacks rigid security measures, according to Michael Perez, Director at Ekco, who said: “Mandatory identity verification aims to address important challenges, reducing fraud, strengthening trust, and managing digital complexity. However, the current implementation raises valid concerns. One Login, the central system in this rollout, has yet to fully meet the government’s own cybersecurity standards.
“Requesting millions of individuals to submit sensitive identity documents via a platform that hasn’t fully adopted Secure by Design principles introduces significant risk. It concentrates vulnerability and could expose users to breaches at a time when public confidence in digital systems is already under pressure.
“While the ambition behind One Login is commendable, robust protections must underpin any system handling identity data. At present, the platform is asking individuals and businesses to share critical information without the necessary safeguards in place, setting a concerning precedent.
“What’s needed now is greater assurance. The public deserves systems that are thoroughly tested and secure by design. Without that, expanding One Login’s use risks eroding trust not only in this platform, but in the broader vision for digital government.”
