Understand the different levels of assurance

GOV.UK Verify is designed to protect services and users from online identity fraud. It provides 2 different levels of assurance (LOAs) - LOA1 and LOA2. The higher the LOA, the more confident you can be that your users are who they say they are.

When you understand the different LOAs, you should do a risk assessment and discuss the results with the GOV.UK Verify team - they will help you choose the right LOA for your service

LOA1 is the lowest level of assurance offered by GOV.UK Verify. It is usually appropriate if you assess that your service’s risk of identity fraud is low.

If your assessment indicates your service faces a high risk of identity fraud (for instance, because it offers something of high value such as money or a licence), you might want to use LOA2.

If you think your users face a high risk of harm if your service is affected by online identity fraud, email idasupport@digital.cabinet-office.gov.uk to discuss:

  • LOA3 – appropriate when a user could face serious consequences from someone else using their identity, such as physical harm or financial ruin
  • LOA4 – appropriate when a user’s life could be threatened by someone else using their identity

LOA1

LOA1 checks the user’s identity against one or more pieces of identity evidence. This often includes asking questions that only the person the user is claiming to be would know the answer to.

LOA1 is suitable for most services that:

  • do not give users money or benefits
  • do not provide access to sensitive information, such as a user’s criminal records

Example

The Driver and Vehicle Licensing Agency (DVLA) uses LOA1 in their view driving licence information service. This is because the service lets users see information that is not sensitive, and faces a low risk of identity fraud.

If a user impersonated someone else to use this service, it is unlikely they would be able to use this information to do any harm to that person.

LOA1 and your users

If your service uses LOA1, it will take users:

  • about 5 minutes to create an account with an identity provider (also called a ‘certified company’) – they only need to do this once
  • less than a minute to sign in to your service after they’ve created an account

To create an account, they might be asked:

  • a series of questions that only they know the answer to, like how much their monthly mortgage payments are or when they last took out a mobile phone contract
  • to sign in to their online bank account
  • to take a photo of themselves and an identity document, such as a driving licence

LOA2

LOA2 offers a higher level of confidence about your users’ identities. It uses multiple pieces of identity evidence, as well as the user’s financial or other history, to check their identity.

LOA2 might be suitable for your service if it:

  • gives users money or benefits
  • lets users update information about themselves or access sensitive information, such as criminal records

Example

The Department for Business, Energy and Industrial Strategy (BEIS) uses LOA2 in their claim for redundancy and monies owed service. This is because it could face a high risk of identity fraud.

If a user impersonated someone else to use this service, they could get money they’re not entitled to. This could also stop the real user from being paid money they’re owed.

LOA2 and your users

If your service uses LOA2, it will take users:

  • about 10 to 15 minutes to create an account with an identity provider – they only need to do this once
  • less than a minute to sign in to your service after they’ve created an account

They’ll usually need at least 2 pieces of identity evidence to create an account. These might include:

  • one or more identity documents such as a passport, birth certificate or driving licence
  • one or more accounts in their name, such as a bank account, mobile phone contract or mortgage contract

Email idasupport@digital.cabinet-office.gov.uk if you need help choosing the right level of assurance for your service.

Return to overview