Under plans confirmed by Prime Minister Sir Keir Starmer, the digital ID will be available to all UK citizens and legal residents, but will only be mandatory for employment.
The scheme will be built around two core systems – Gov.uk One Login and Gov.uk Wallet – designed to give users a single sign-in for public services and, eventually, a digital identity stored on their smartphones.
Sir Keir said the system “will have security at its core”, but full details have yet to be announced.
One Login already has more than 12 million registered users and is expected to reach 20 million by next year, when new rules will require anyone registering as a company director to verify their identity through the platform.
The Gov.uk Wallet has not yet launched, but will hold verified personal details including name, nationality, residence status and a photograph.
The government insists data accessed through One Login will remain within individual departments rather than a centralised database, to reduce the risk of breaches.
However, Conservative MP David Davis has warned that flaws in the system’s design could make it vulnerable to cyberattacks.
Speaking in a Westminster Hall debate, he said: “What will happen when this system comes into effect is that the entire population’s entire data will be open to malevolent actors – foreign nations, ransomware criminals, malevolent hackers and even their own personal or political enemies. As a result, this will be worse than the Horizon (Post Office) scandal.”
David has written to the National Audit Office calling for an “urgent” investigation into the cost of One Login, which he says will exceed the £305 million already allocated.
In his letter, he cited a 2022 incident where contractors in Romania working on One Login were found to be using unsecured workstations without the required security clearance.
Separately, Liberal Democrat technology spokesman Lord Clement-Jones has questioned whether One Login meets National Cyber Security Centre standards.
He told the BBC he had spoken to a whistleblower who claimed the government had missed its 2025 target for hardening critical systems against cyberattacks, and that One Login would not pass the required security tests until March 2026.
The whistleblower also alleged a “red team” test in March this year successfully gained privileged access to One Login systems.
The Department for Science, Innovation and Technology denied this, saying: “Claims that its systems were penetrated without detection are false.”
It added only a “handful of people” in Romania were involved, none of whom had access to production systems, and that “all code was checked.”
DSIT said all staff working on the project use “corporately managed” devices monitored by security teams, and that One Login undergoes regular independent reviews.
A department spokesperson said: “Gov.uk One Login continues to deliver for citizens across the UK. One Login follows the highest security standards used across government and the private sector and is fully compliant with UK data protection and privacy laws.”
Sir Keir has transferred overall control of the digital ID programme to the Cabinet Office, while the Government Digital Service will retain design responsibilities.
