This document was retired in July 2021.

This document is good practice guidance to Her Majesty’s Government (HMG) public service providers to describing how types of credentials supports support user authentications to HMG online services.

HMG online public services can be a high target for many sources of threats and as such may pose a significant level of risk. As a result Public service providers must be aware of the credential choices of authentication levels that relate to HMG online services. There are three high-levels of authentication:

1. Authentication demonstrates that authentication requestor possesses the credential for a legitimate account.

2. Authentication provides confidence that the credentials is being used/or with explicit consent by a legitimate account holder and might support civil proceedings.

3. Authentication provides confidence that the credentials is being used/or with explicit consent by a legitimate account holder and might support criminal proceedings.

The level of assurance assigned to an authentication credential has many factors incorporated into and is considered against the threat levels associated with the Government service provider.

Some of the factors considered are the type of credential required, the on-going management of the credential by the identity Provider (IDP), the quality and extent of monitoring and reactions by the IDP, the Information Assurance (IA) maturity of the authentication provider and much more.

The CESG Information Assurance Standards and Guidance welcomes feedback. To leave feedback and review please email enquiries@cesg.gsi.gov.uk