AffixIO for UK government and regulated public servicesAll departments
UK digital ID rollout

How does UK digital ID work after GOV.UK One Login?

Live programme context for GOV.UK One Login, eVisa, and the UK digital verification services trust framework. Where authentication ends, AffixIO delivers eligibility verification without storing citizen data.

Short answer: One Login and certified identity handle authentication; programmes still need eligibility answers (benefits, work, rent, tax). AffixIO delivers signed yes/no outcomes without AffixIO holding a standing citizen database.

Contact the teamEligibility API

Stateless verification · No standing PII store · ML-DSA ready

UK digital ID

UK digital identity rollout: authentication is live, eligibility is the bottleneck

Search interest in GOV.UK One Login, eVisa, right to work checks, and the UK digital identity and attributes trust framework reflects a national push toward reusable digital identity. Citizens get a smoother sign-in. Programme teams still stall on the next question: is this person allowed to do this specific thing right now? That is where eligibility verification and stateless infrastructure matter, and where AffixIO is built to help.

StatelessNo PII vault
Yes / NoBinary API
ML-DSAPQ-ready proofs
OfflineField + employer

This page covers live programme facts, keywords your architects search for (DVS, KBV, UKVI, Government Gateway migration), and how AffixIO completes the stack after identity proofing without another central citizen database.

GOV.UK One LoginUK digital identitydigital identity verificationeVisaright to workright to renteligibility verification APIdigital verification servicesstateless verificationverifiable credentials

Programme snapshot

What is live in the UK digital identity programme

The UK is in active rollout, not planning mode. GOV.UK One Login, eVisa, and the statutory trust framework are moving together. The numbers below are drawn from public government announcements and reporting; always confirm against current GDS and departmental pages before procurement decisions.

16.6m+One Login users reported early 2026
122+Services on One Login (Jan 2026)
220+Services accessible via the programme
Feb 2026HMRC new customers on One Login

GOV.UK One Login

  • Rapid service adoption: from a handful of services in early 2024 to 122 government services reported by January 2026
  • HMRC began registering new customers through One Login from 9 February 2026; existing Government Gateway users migrate on a later timetable
  • GDS and DWP expanded online identity proofing with knowledge based verification (KBV) from mid-February 2026, using DWP-held facts where photo ID routes fail
  • Passkeys and step-up authentication reduce friction for returning users

GOV.UK One LoginGovernment Gateway migrationidentity proofingknowledge based verification

eVisa and digital status

  • Biometric residence permits (BRPs) and many physical documents are being replaced by eVisa records linked to a UKVI account
  • From 15 July 2025, many work and study route applicants receive eVisa only (no visa vignette)
  • From 25 February 2026, most successful visit and other visa grants move to eVisa-only
  • Employer right to work guidance was updated 26 June 2025; expired BRPs are not acceptable proof
  • Citizens share status with employers and landlords via UKVI share codes and digital checks

eVisaright to work checkright to rentUKVI share codedigital verification services

Trust framework and regulation

  • UK digital identity and attributes trust framework (gamma, version 0.4) is the statutory framework under the Data (Use and Access) Act 2025
  • Certification for digital verification services could begin from 1 July 2025 under published framework timelines
  • UK digital verification services trust framework version 1.0 entered pre-release in March 2026, aligning naming with legislation
  • The Office for Digital Identities and Attributes (OfDIA) oversees certification and the digital verification services register

DIATFdigital verification servicesOfDIAconformity assessment

Why eligibility still breaks without a new layer

  • One Login answers who signed in and how identity was proofed
  • Services still ask: entitled to benefit, allowed to work, licensed to drive, in tax bracket, clinically covered?
  • Each question hits a different registry with different legal basis
  • Copying registry answers into app databases creates the next national-scale data risk

eligibility verificationstateless verificationbinary yes no API

Sources include GOV.UK One Login service list, GDS blog posts on HMRC and DWP identity proofing, Home Office eVisa policy updates, and trust framework publications on GOV.UK.

The gap

Problems rolling out digital ID today (and how AffixIO helps)

Programme teams report the same blockers once One Login or eVisa goes live: authentication succeeds, then the service still fails on entitlement logic, data sharing, or audit. AffixIO targets that gap specifically.

  • Post-login entitlement cliff

    User passes identity proofing but the service cannot decide benefit, tax, or immigration permission in real time. AffixIO returns a single yes or no with proof against authorised registries.

  • Registry sprawl after sign-in

    Each team wires DWP, HMRC, Home Office, or internal SQL separately. AffixIO offers one eligibility verification API contract and consistent audit metadata.

  • Over-sharing attributes

    Digital verification services and legacy integrations pass more personal data than the transaction needs. AffixIO minimises disclosure: decision plus proof, not registry exports.

  • Right to work and rent at scale

    Employers and lettings platforms need fast answers as eVisa replaces BRPs. AffixIO supports binary outcomes suitable for HR and compliance logs, including offline validation at site.

  • HMRC and DWP migration risk

    As Government Gateway and legacy logins retire, downstream rules must still run on day one. AffixIO decouples eligibility from which sign-in method was used.

  • KBV and document-light cohorts

    Knowledge based verification improves sign-in success, but does not replace benefit or entitlement rules. AffixIO handles the next question after KBV or document proofing.

  • DVS and wallet fragmentation

    Certified digital verification services and future wallets multiply formats. AffixIO normalises to one service-specific decision so relying parties avoid N separate attribute parsers.

  • Audit and fraud under pressure

    Inspectors want proof a decision was correct at the time, not a copy of the citizen record. AffixIO provides signed, pseudonymised decision artefacts (ML-DSA ready) without retaining request payloads.

Landscape

What digital identity rollout changes (and what it leaves open)

For citizens

  • One account for many government services instead of dozens of logins
  • Digital immigration status (eVisa) instead of carrying expired biometric cards
  • Share codes for employers and landlords to verify permission online
  • Alternative identity proofing (including KBV) when photo ID routes fail

For programme and delivery teams

  • Less bespoke login engineering; more focus on rules and registry integration
  • Pressure to meet Service Standard, DPIA, and trust framework certification timelines
  • Demand for digital verification services that minimise attribute sharing
  • Need for audit-grade proof when disputes and fraud investigations arrive

AffixIO position: We do not compete with One Login or certified identity providers. We provide post-authentication eligibility verification: registry-backed yes or no decisions with cryptographic proof, zero standing PII at the verifier, and an eligibility verification API your teams can ship behind benefits, tax, immigration, and licensing journeys.

GOV.UK One Login

GOV.UK One Login and Government Gateway migration

GOV.UK One Login is the cross-government digital identity sign-in programme led by Government Digital Service. It provides identity proofing appropriate to service risk, session management, and growing support for passkeys. HMRC's 2026 onboarding of new customers is a visible milestone; DWP collaboration on knowledge based verification shows how departments feed facts into proofing without replacing entitlement engines.

What One Login delivers

  • Authenticated subject reference for your application
  • Evidence that identity proofing met your declared level
  • Fraud and session telemetry for security operations
  • A path off legacy Government Gateway credentials over time

What services still need after One Login

  • Universal Credit and benefits eligibility (DWP rules, not login status)
  • Tax agent authority and bracket checks (HMRC systems)
  • Right to work and right to rent (Home Office immigration permission)
  • NHS treatment and exemption entitlement
  • DVLA licence and vehicle validity for enforcement and hire

AffixIO is the thin layer that answers those questions in milliseconds to low hundreds of milliseconds, with proofs your auditors can use.

Trust framework

UK digital identity and attributes trust framework (DIATF) and digital verification services

The UK digital identity and attributes trust framework sets privacy, transparency, inclusivity, interoperability, and proportionality expectations for participants. Statutory gamma (0.4) and the emerging UK digital verification services trust framework 1.0 define how organisations become certified digital verification services on the OfDIA register.

Certified identity services prove who someone is. AffixIO proves whether a defined action is allowed under departmental policy, using authoritative data you already trust. Together they support lawful, minimal disclosure: identity attributes where needed, eligibility decisions everywhere else.

Architecture

Digital identity verification vs eligibility verification

Confusing digital identity verification with eligibility verification is the most expensive mistake in current rollout programmes. Identity establishes presence and proofing level. Eligibility establishes permission.

Identity (One Login, DVS, eVisa share)Who is this? How was identity established? What immigration status is displayed?
AffixIO eligibility layerGiven subject + policy: allowed yes or no, signed proof, no PII retention at verifier.
Your serviceCase management, payment, hire, or clinical workflow proceeds on decision + audit log.
Your service AffixIO verify YES / NO + proof
Request in, signed eligibility outcome out. No standing copy of personal data at the verifier.
Citizen journey

End-to-end: sign-in, eligibility, outcome

  1. Citizen reaches your service from GOV.UK or a partner link.
  2. They sign in with GOV.UK One Login (or legacy login during migration).
  3. Your backend calls AffixIO with subject reference, policy ID, and action context.
  4. AffixIO queries DWP, HMRC, Home Office, DVLA, or your registers as authorised.
  5. UI shows allow or deny; audit stores AffixIO proof metadata only.
Relying parties

Who needs eligibility after digital ID

  • Central government

    Benefits, tax, immigration, motoring: One Login gets you in; AffixIO decides the transaction.

  • HMRC migration programmes

    New One Login users still need tax and agent rules on day one.

  • Employers and HR tech

    Right to work after eVisa: binary permitted to work, audit-friendly logs.

  • Letting agents and landlords

    Right to rent without immigration case files in property software.

  • Banks and age-restricted platforms

    Age assurance and fraud signals with minimal attributes.

  • Local authorities

    Housing and council tax support tied to DWP and registry signals.

  • Digital verification services

    Certified identity plus downstream eligibility on one integration plan.

eVisa

eVisa, UKVI share codes, and right to work

The Home Office has moved millions of holders from biometric residence permits to eVisa records. Employers must adapt right to work checks to digital methods. Landlords perform analogous right to rent checks. Share codes prove status once; hiring and letting workflows still benefit from a fast allow or deny at the moment of contract.

AffixIO helps HR and compliance platforms integrate without becoming immigration data warehouses. Offline verification supports sites with poor connectivity.

Further detail: Home Office verification page.

Wallets and VC

Verifiable credentials and the wallet roadmap

UK programmes are exploring mobile wallets and verifiable credentials for age and status. Without a normalising eligibility layer, every wallet format becomes a new integration. AffixIO returns the same yes or no contract regardless of how identity was presented.

How it works

From request to verified outcome

The same three-step model used across AffixIO applies here: describe the decision, evaluate against sources you control, return yes or no with proof.

Step 1

Define the decision

Your service sends who is asking, what they need, which policy version applies, and channel context. The format is the same for live API calls and offline packets.

Step 2

Evaluate against authority

Checks run against registries and rules you authorise. Sensitive fields stay in systems you already operate wherever the design allows.

Step 3

Return yes or no with proof

The response is explicit, signed where required, and suitable for audit or partner handoff. AffixIO does not retain the request after the decision.

Architecture

Where AffixIO sits in your stack

A thin stateless layer between citizen channels and core departmental systems. It answers eligibility questions; it does not replace case management, payments, or identity providers.

Your channelsGOV.UK services, contact centres, field applications, partner APIs, and automated agents.
AffixIOStateless verification via API and SDK. Binary outcomes with cryptographic proof.
Your core systemsDepartmental registries, identity, payments, HR, and case tools you already accredit.

Further reading: technical architecture, what AffixIO is, government data integration.

AffixIO

What AffixIO provides for UK digital ID programmes

Eligibility verification API

One contract for benefit, tax, work, rent, and licence decisions.

Stateless architecture

No central citizen database at the verifier.

Right to work and rent

Binary outcomes for eVisa-era employer and landlord flows.

HMRC and DWP ready

Decoupled from Government Gateway vs One Login.

DVS and wallet agnostic

Same decision semantics after any identity presentation.

ML-DSA proofs

Long-lived audit artefacts for post-quantum planning.

Example response (illustrative)
{
  "eligible": true,
  "proof": "<signed verification artefact>",
  "decision_id": "dec_…",
  "evaluated_at": "2026-05-15T12:00:00Z"
}

OpenAPI documentation: api.affix-io.com. Integrate via REST, webhooks, or SDKs.

Assurance

Security, OFFICIAL, and long-lived proofs

Rollout programmes operate at OFFICIAL for most citizen services. AffixIO supports self-hosted deployment inside your boundary, pseudonymised logging, and HSM-backed signing where required.

Delivery

How programmes land digital ID with eligibility built in

Phase 1

Map sign-in vs decision

Document which facts One Login, eVisa, or DVS already prove versus which need live registry checks (benefits, tax, work permission, clinical entitlement).

Phase 2

Pilot one high-risk journey

Example: right to work after eVisa, or benefit gateway after KBV rollout. Integrate AffixIO behind a single policy and measure latency, contact centre deflection, and DPIA outcomes.

Phase 3

Scale across channels

Reuse the same eligibility contract for web, contact centre tools, and batch jobs. Add offline proofs for field and employer site checks.

Phase 4

Harden for decades

Plan ML-DSA signing, HSM ceremonies, and trust framework 1.0 uplift without rewriting business rules.

Across government

Where digital ID meets departmental services

One Login and digital status reduce duplicate sign-ins, but each department still owns entitlement rules. AffixIO connects rollout programmes to operational systems without merging registries.

DWP

Benefits, Universal Credit, KBV identity data.

DWP page

HMRC

One Login migration, agents, tax status.

HMRC page

Home Office

eVisa, right to work, right to rent.

Home Office page

NHS

Treatment entitlement and workforce checks.

NHS page

DVLA

Licence validity in digital journeys.

DVLA page

Local government

Council services and concessions.

Local government page
Deployment

How teams deploy

Managed API

Connect through your API gateway with TLS, mutual authentication where required, and departmental logging.

Self-hosted

Run inside your accredited boundary when policy requires on-premise or private cloud.

Offline and edge

Validate signed proofs locally where connectivity is limited. See offline verification.

Agentic channels

Machine clients receive the same binary signals as citizen channels. See M2M verification.

Teams migrating to GOV.UK One Login in 2026 typically pilot AffixIO on one eligibility-heavy journey (right to work, benefit gateway, or agent authority) before standardising the pattern programme-wide.

Security

Cryptography and data handling

Built for long-lived programmes that must plan beyond legacy signatures and minimise data held at the verification boundary.

Stateless by design

No long-term store of who asked or the attributes inside a request. Supports proportionate DPIA narratives.

ML-DSA ready

Artefacts can use Module-Lattice-Based Digital Signature Algorithm (ML-DSA), aligned with NIST post-quantum direction, with optional HSM-backed key ceremonies.

Zero-knowledge outcomes

Where policy allows, demonstrate that a rule evaluated to yes without exporting underlying registry content.

Patent pending: AffixIO verification pipeline protected under GB2510622.0 (pending).

Compliance

UK regulatory alignment

  • UK GDPR and Data Protection Act 2018
  • Government Security Classifications (OFFICIAL patterns; higher via your deployment model)
  • NCSC cloud security principles
  • Service Standard compatible citizen journeys
  • Pseudonymised audit metadata for review

See GDPR compliance and privacy policy.

Privacy

DPIA, data minimisation, and trust framework alignment

Digital ID DPIAs must cover identity proofing and downstream decisions. AffixIO supports minimisation narratives: purpose-limited calls, no standing PII vault, signed proofs for accountability. Align with UK GDPR, Data Protection Act 2018, and trust framework proportionality principles.

FAQ

Common questions

How many services use GOV.UK One Login now?
Public reporting in early 2026 referenced on the order of 16.6 million users and more than 122 government services adopting One Login, with over 200 services accessible through the wider programme. Check the GOV.UK services list and GDS updates for the latest count.
What changed for HMRC in February 2026?
HMRC began registering new customers via GOV.UK One Login from 9 February 2026. Existing Government Gateway credentials continue for current users until a later migration phase. Services still need real-time tax and entitlement logic after sign-in.
What is knowledge based verification (KBV) with DWP?
From mid-February 2026, GDS and DWP expanded routes where citizens answer security questions drawn from DWP-held information if they cannot complete photo ID verification. KBV improves identity proofing success; it does not replace benefit entitlement checks.
What is the UK digital identity and attributes trust framework?
It is the UK's ruleset for digital identity and attribute services, now on a statutory footing (gamma 0.4). It defines how certified digital verification services join the ecosystem. Version 1.0 of the UK digital verification services trust framework was in pre-release in March 2026.
How do eVisas affect right to work checks?
Employers must use digital routes: UKVI share codes, approved digital verification services, or other Home Office listed methods. Expired biometric residence permits are not valid proof. AffixIO can return a binary work-permitted outcome without storing immigration case files in HR systems.
Where does AffixIO fit after GOV.UK One Login?
After authentication, your service requests an eligibility decision. AffixIO evaluates your policy against sources you authorise and returns yes or no with proof. No standing citizen database is held at AffixIO.
Can AffixIO work with digital verification services (DVS)?
Yes. Whether the citizen presents a One Login session, a DVS-certified attribute, or a wallet credential, AffixIO can still produce a service-specific eligibility outcome on one API surface.
Does this help Government Gateway migration?
Eligibility logic should not be tied to a login mechanism. AffixIO lets you migrate sign-in to One Login while keeping one stable verification contract for benefit, tax, and permission rules.
Is AffixIO a certified digital verification service?
AffixIO is independent eligibility verification infrastructure. It complements identity proofing and DVS; it does not replace OfDIA-certified identity services. Your architects place it after identity, before business action.
Why mention ML-DSA for government programmes?
Decisions and proofs may be relied on for years in appeals and audits. ML-DSA (Module-Lattice-Based Digital Signature Algorithm) supports post-quantum planning for long-lived government artefacts.
Can employers and landlords integrate without holding immigration data?
Programmes can receive allow or deny with audit metadata, rather than copying full status records into property or HR platforms, when integrated with appropriate lawful basis and Home Office authorised data flows.

Speak with our team

Share your channel mix, assurance constraints, and first use case. We will respond with a practical integration outline.

hello@affix-io.comTechnical architecture

AffixIO is an independent technology provider. References to UK departments and agencies describe integration patterns for eligible programmes; they do not imply endorsement. Operational deployment is subject to your organisation's assurance, procurement, and data-sharing agreements.