Choose the level of authentication for your service
You’ll need to choose the level of authentication your service will require your users to have. You can find help on selecting an appropriate level of protection in the guidance on using authenticators to protect an online service, also known as ‘GPG 44’.
GOV.UK One Login uses ‘Vectors of Trust’. Your service can use these Vectors of Trust to request the right level of authentication for your users to gain access to your service. You’ll include your vector in the query string as part of the request you make when you integrate with Authorization Code Flow.
GOV.UK One Login currently supports the following authentication levels, also known as ‘levels of protection’ in GPG 44.
Levels of protection | Vector value | Description of the levels of protection |
---|---|---|
Low level of protection |
Cl (credential low) |
This vector requires your users to have a username and password combination. You should only use this option if your service does not hold personal information about your users, for example if your service is about booking in an MOT. All services use Cl.Cm as the authentication level by default, unless you change your authentication level to Cl .If you request Cl , you will not be able to request identity attributes. |
Medium level of protection |
Cl.Cm (credential medium) |
This vector requires your users to have a username and password combination, as well as using two-factor authentication (2FA). GOV.UK One Login currently supports 2FA either through a one-time password sent through SMS, or an authenticator app. All services use Cl.Cm as the authentication level by default, unless you change your authentication level to Cl . If you need to request identity attributes, you must request Cl.Cm . |
You’ll include your level of authentication in your request to the /authorize
endpoint.
Once you have chosen your level of authentication, you’ll need to choose the level of identity confidence if your service needs identity proving.
If your service does not need identity proving, you can move on to generate a key pair.