External security tests on the government’s flagship digital identity system, Gov.uk One Login, have found serious vulnerabilities in the live service, Computer Weekly has learned.

A “red teaming” exercise conducted in March by IT security consultancy Cyberis discovered that privileged access to One Login can be compromised without detection by security monitoring tools.

According to Cyberis, red teaming tests the resilience of systems by simulating the tactics, techniques and procedures of cyber attackers to show how well an organisation can detect and respond to an incident.

Computer Weekly has been asked by the Department for Science, Innovation and Technology (DSIT) not to reveal further details of the vulnerability while the Government Digital Service (GDS) seeks to fix the problem.

Compromising the highest levels of access to a system risks exposing personal data and software code to any cyber attackers able to exploit the vulnerability.

A government spokesperson said: “Delivering best practice, we routinely conduct red teaming exercises to test security infrastructure. Where issues are found, we work urgently to resolve them.”

The existence of a serious current vulnerability will raise further concerns over the security of One Login, which is intended to be the way that citizens prove their identity and log in to most online government services.

There are already six million users of the system, and it is used to access more than 50 online services.

Last month, Computer Weekly revealed that GDS was warned by the Cabinet Office in November 2022 and the National Cyber Security Centre (NCSC) in September 2023, that One Login had “serious data protection failings” and “significant shortcomings” in information security that could increase the risk of data breaches and identity theft.

GDS said the concerns were “outdated” and arose “when the technology was in its infancy in 2023”, despite One Login being used at that time to support live services. “We have worked to address all these concerns as evidenced by multiple external independent assessments. Any suggestion otherwise is unfounded,” said a spokesperson, at the time.

A whistleblower first raised security concerns about One Login within GDS as long ago as July 2022. The issues identified included system administration being performed through non-compliant devices with a risk of transmitting security vulnerabilities, such as malware or phishing attacks, that could compromise the live system.

The NCSC recommends that system administration for key government services should be conducted from a dedicated device used only for that purpose, known as a privileged access workstation (PAW), or alternatively to use only “browse down” devices, where the security level of the device is always the same or greater than the system being managed. The whistleblower warned that a lack of PAWs and use of browse-up administration were significant risks.

Computer Weekly subsequently revealed that the One Login team has yet to fully meet NCSC guidelines – the system only complies with 21 of the 39 outcomes detailed in the NCSC Cyber Assessment Framework (CAF) – an improvement on the five outcomes it successfully followed a year ago.

The One Login development team is also yet to fully implement the government’s Secure by Design practices, although GDS said the system “meets these principles”.

Earlier this week, we further revealed that One Login had lost its certification against the government’s own trust framework for digital identity systems, after a key technology supplier allowed its certification to lapse and, as a result, One Login was removed from the official accreditation scheme.

In a meeting with private sector digital identity providers this week (Wednesday 14 May), DSIT secretary of state Peter Kyle explained how One Login will underpin the forthcoming Gov.uk Wallet, which will be used to deliver digital versions of key government documents, such as driving licences.

Kyle talked about the “rapid journey” he hopes the government will take in delivering digital identity services for citizens and stressed the importance that such systems are “delivered safely [and] securely”.

The government spokesperson added: “Gov.uk One Login follows the highest security standards for government and private sector services – including dedicated 24/7 eyes-on monitoring and incident response. As the public rightly expects, protecting the security of government services and the data and privacy of users to keep pace with the changing cyber threat landscape is paramount.”

Questions are also being asked in Parliament about the security of One Login. In recent weeks, Liberal Democrat peer and digital spokesman Tim Clement-Jones and Conservative peer Simone Finn have separately submitted Parliamentary questions to DSIT asking for reassurances about the system.

Finn asked whether the government has “quantified the likelihood and potential impact of insider threats, unauthorised privileged access, and production environment compromise within One Login”.

In response, DSIT minister for the future digital economy and online safety, peer Maggie Jones, said: “The Gov.uk One Login team collaborates closely with the NCSC to assess and mitigate risks associated with insider threats, unauthorised privileged access, and production environment compromise, aligning with the Cyber Assessment Framework outlined in the Government Cyber Security Strategy 2022-2030.

“While assessments of insider threats have been made, copies of these assessments will not be placed in the Library of the House, as they are part of ongoing security measures and internal governance processes.”

Clement-Jones asked: “What steps [the government is] taking to address security issues in the One Login digital identification system?”

Jones replied: “One Login follows the highest security standards for government and private sector services. As the public rightly expects, protecting the security of government services and the data and privacy of users to keep pace with the changing cyber threat landscape is paramount.

“Security best practice is followed with a number of layered security controls which include: Security clearances for staff with ‘Security Check’ clearance required for all developers with production access; identity and access management controls that block staff from viewing or altering personal information; a secure by design and compartmentalised system architecture; technical controls around building and deployments; logging and monitoring to alert on access to environments that contain personally identifiable information; and robust procedures for addressing any unauthorised or unaccounted for access.”

Speaking to Computer Weekly about the security concerns, Clement-Jones said: “How is the government’s flagship digital identity system failing to meet standards so badly, given that it is expected to shortly form an essential part of our immigration controls? We need answers and quickly.” 

Read more on IT for government and public sector

• 
  

  Gov.uk One Login loses certification for digital identity trust framework

  By: Bryan Glick

• 
  

  Gov.uk One Login yet to meet government cyber security standards for critical public services

  By: Bryan Glick

• 
  

  UK digital identity turns to drama (or farce?) over industry fears and security doubts

  By: Bryan Glick

• 
  

  GDS appoints Christine Bellamy as CEO

  By: Lis Evenstad