Choose the level of authentication for your service
You’ll need to choose the level of authentication your service will require your users to have. You can find help on selecting an appropriate level of protection in the guidance on using authenticators to protect an online service, also known as ‘GPG 44’.
GOV.UK One Login uses ‘Vectors of Trust’. Your service can use these Vectors of Trust to request the right level of authentication for your users to gain access to your service. You’ll include your vector in the query string as part of the authorisation request you make when you integrate with Authorization Code Flow.
GOV.UK One Login currently supports the following authentication levels, also known as ‘levels of protection’ in GPG 44.
|Levels of protection||Vector value||Description of the levels of protection|
|Low level of protection||
||This vector requires your users to have a username and password combination.
You should only use this option if your service does not hold personal information about your users, for example if your service is about booking in an MOT.
All services use
If you request
|Medium level of protection||
||This vector requires your users to have a username and password combination, as well as using two-factor authentication (2FA). GOV.UK One Login currently supports 2FA either through a one-time password sent through SMS, or an authenticator app.
All services use
If you need to request identity attributes, you must request
You’ll include your level of authentication in your authorisation request.
Once you have chosen your level of authentication, you’ll need to choose the level of identity confidence if your service needs identity assurance.
If your service does not need identity assurance, you can move on to generate a key pair.