Skip to main content

Choose the level of authentication for your service

You’ll need to choose the level of authentication your service will require your users to have. You can find help on selecting an appropriate level of protection in the guidance on using authenticators to protect an online service, also known as ‘GPG 44’.

GOV.UK Sign In uses ‘Vectors of Trust’. Your service can use these Vectors of Trust to request the right level of authentication for your users to gain access to your service. You’ll include your vector in the query string as part of the authorisation request you make when you integrate with Authorization Code Flow.

GOV.UK Sign In currently supports the following authentication levels, also known as ‘levels of protection’ in GPG 44.

Levels of protection Vector value Description of the levels of protection
Low level of protection Cl (credential low) This vector requires your users to have a username and password combination.
You should only use this option if your service does not hold personal information about your users, for example if your service is about booking in an MOT.
All services use Cm as the authentication level by default, unless you change your authentication level to Cl.
Medium level of protection Cm (credential medium) This vector requires your users to have a username and password combination, as well as using 2FA (this will be a one-time password sent through SMS). Additional 2FA methods will be available in the future.
All services use Cm as the authentication level by default, unless you change your authentication level to Cl.

Once you have chosen your level of authentication, you’ll need to choose the level of identity confidence if your service needs identity assurance.

If your service does not need identity assurance, you can move on to generate a key pair.

This page was last reviewed on 13 June 2022.