Reply to: GOV UK One Login

I agree. The level of fraud committed on Covid loans was unreal. I never got one myself (for my company, I mean), but I don't know why I didn't I think the money was even interest free ? But the fruadulent loans add up in the billions that will never be recovered and is a real liability on the tax payer.

But FFS, with a system like this, do it properly, and pay a good team of British engineers to do a high quality job and put the thing through extensive QA before unleashing it. We can't have digitial ID as critical national infrastructure AND do it on the cheap.

And why re-invent the wheel, we already have PKI used in things like Law society cards. With a system like that, the card holder holds the private keys, not some central database. They way this is done, is just stupid, and its going to blow up horribly, I guarantee it.

I'm glad you got it sorted. I think this could also be an issue for anyone who changes their name after registering the company (e.g. if they get married).

I posted somewhere up there ^^ about problems getting my code, it's sorted now and so this is a belated follow-up.

TLDR: it was my error (probably), jump to Tips below.

In brief:

3 trips to 2 different post offices, with 2 types of ID.

After the PO visit you get a confirmation email but THIS MEANS NOTHING.

Neither OneLogin nor CH will notify of failed checks, LET ALONE WHY. <- THIS IS THE MOST INFURIATING PART.

Emails to CH either unanswered, or failed to answer the actual query.

Phone call to OneLogin support - friendly, empathetic, and quite literally said "You're wasting your time".

CH threatening "enforcement action".

The app works only with the latest tech and with the planets aligned.

ACSP accountant unable to help.

My error:

It finally dawned on me that my details at CH lack my middle names (which I never use) and while that may have been a conscious decision when registering the company all those years ago, the fact is long since forgotten. My passport and DL however do have my full name.

I can't say for sure this was the reason, BECAUSE THEY REFUSE TO SAY!, but it seems likely.

So I updated my details at CH. Created a new OneLogin account, also a new CH account, made a 3rd visit to a (different) post office. Got the same confirmation email. Logged in and hallelujah the code is there.

Observations:

OneLogin may work well for some situations, but it's a misfit for CH's use-case.

My new CH account wasn't yet linked to my company when it succeeded, so I suppose it must search against _all_ directors of _all_ companies.

Seems that if there's no match to a known individual at CH, despite the ID check itself matching a real individual, THE RESULT DISAPPEARS INTO A VIRTUAL VOID.

The inability of the system to report a failed ID check appears to be baked into its design.

Two failed checks with the app and it bans you.

Well, it doesn't actually say "banned", just all further attempts fail without reason.

That's not just the App, you can't even then go the Post Office route.

Fortunately, it's possible to delete your OneLogin account and start again, or create multiple "OneLogin" accounts!!

Even if you're lucky enough to be verified by the system using data it holds already, it still requires that you copy and paste the magic personal code from one page to another.

Your personal code is supposed to be secret but if your company has multiple directors, only one person can do the submission and so will need the codes of the others.

There's no obvious way to revoke a compromised code.

The "App":

What almost 'worked' for me was starting on desk PC browser and transitioning to the mobile app when directed, but only after several attempts and re-installing the app, clearing cache, etc. But it was still to no avail.

The app also has a section for uploading ID documents that is a complete red-herring.

With the app it's trivial to fake the photo ID requirement. Useful if your device camera isn't quite the best.

Passport ID requires the mobile device (and passport) to support NFC.

ACSPs:

There's an official list. Not everyone wants to join, but it seems eventually all accountants will have to as it becomes a requirement for other types of filing.

In-person checks by an ACSP are in theory possible. The procedures allow the human in the loop some leeway to make pragmatic decisions, but - it seems that no accountant will ever offer in-person checks as it stands due to the liability and HO compliance requirements.

This means a new industry selling 'solutions' much like the parasites industry we have around IR35.

I contacted a handful of accountants on the ACSP list, about half replied, and only one offered to help, albeit for a very reasonable fee.

But... their 3rd-party service was a total fail on every device that I tried, either crashing, landing on a blank page, or stuck in endless loop. Well, it did at least allow to upload ID directly from a PC browser, something not possible with OneLogin.

The service involved two entities other than the accountant, BrightChecks and Credas, and I never worked out who was reselling who.

Tips:

Don't leave it until the CS is due. Do it now. You can apparently submit early without paying the fee.

Check carefully that your selected ID details match PRECISELY the details that CH have for you as director.

For the Post Office route: don't rely on the confirmation email. I did the check well ahead of time (months) and thought all was good then hit a brick wall when the time came to submit CS.

For the app: preferably use a high end device with decent camera (capable of close-ups of photo ID) and NFC reader. It may work better on iPhone - I didn't try. The Play Store reviews have tips to make it work on Android (something to do with Chrome). You'll also need appropriate lighting and background for the photo. And remember, two failed attempts and you're locked out.

For the ACSP route: try to reach agreement that fees only due on successful verification. If you're wondering who on the list might be nearest, I managed to do that by spreadsheet- about the only thing useful to come out of this - happy to share.

Special mentions:

CH are ***ing useless.

Seriously, these checks are well overdue imho. But CH have thrown this together with no regard.

When asking for help they just forward it to OneLogin, promise a response in 5 days and then fail to keep to this. On chasing, same again forward to OneLogin and promise 5 days.

The belated response from OneLogin is Computer Says No. CH kindly forward this back, adding (paraphrased): oh, and it's your legal responsibility to meet our new requirement and we'll take action if you fail to comply. <- afaiac *that* is harassment.

Computer Weekly had several articles on OneLogin security (or lack of), also picked up by other sources - linked to in an earlier post though I can't find it now.

Looking forward to the next hike in CH fees to cover this their mess.

And they put the confirmation statement filing cost up to £50 from £34, presumably to pay for this crap system.

Did it all through the app with my passport.

Part of the reason this was more hassle than IDing throught the post office is that I don't keep my passport in my office and my office is right next to post office. So getting the PDF letter and taking that to the post office involved about 20 less screens than the app route took. Oh well.

Done it now, confirmation statement completed in the nick of time.

You can't trust them, but you also can't fight them. As others noted, if you want to run a UK company, expect to deal with useless gov't admin and associated risks.

My main aversion to these things is that they are generally a hassle, lots of steps and pictures and to and fro from websites. Maybe this one is not so bad.

But my other objection is the way we getting ID cards through the backdoor with this - its the same system, but being forced on us, without the political debate. Because the last time there was NO2ID and that did not go well for the last Labour government.

My view is that if they can't even make a half decent website, how the hell can we trust them to run a secure digital ID over the entire population, and not screw up with some massive identity theft catastrophe.

If it worked, you would've found it in your CH account (now GOV.UK One login) under Manage Account > Identify Verification.

You only need that code for specific activities, notably to file your annual confirmation statement (which connects you as a director) and, separately, to verify you as a PSC of your company.

As with all gov't services, I will say that their front end is utterly hopeless, a quagmire of inconsistency and confusion, designed by absolute no-hopers, but I did personally manage to complete the above activities without issues. But then I don't have a particular aversion to using apps or phones or the interweb or the internal combustion engine.

Hmm. Well I think basically my ID verification at the Post Office must have not worked, they just failed to make that clear.

Stupid app and passport must be the only way to do it.

I do seem to be Ided in the sense that I can get to my Companies House account through the One Login, just no 11 digit code ?? I really do not understand.

Does anyone know how to get some actual help with this ? You know from a human being. Maybe even an AIchatbot might know !

What can we do... write to our MPs ? I think mine only cares about gender identity issues.

Oh... 500 Internal Server Error

I verified my ID through the post office with my driving licence. I honestly don't know if it worked or not, the response email and link it took me to initially said some kind of error, that later cleared up, but really left me none the wiser.

Could my 11 digit code be missing becauase I am not actually IDed yet, even though I do have the Gov One Login bollocks actually logging in ?

You’ll need to enter the Companies House personal code and confirm the identity verification statement for each director.

Where to find the Companies House personal code▼

This is an 11 character code that is given to a person once they have verified their identity.

They can find their code in the ‘Manage account’ section of their Companies House account (opens in a new tab). They’ll need to sign in using the same email address they used when they verified their identity.


Ok, so...

Opens Companies House acccount, go to Manage account section, and the 11 character code is where exactly ???

This just makes me want to cry.

Old Gov Gateway was a doddle compared to this. I don't remember it being hard at all, applied for an ID, letter came in the post, set up account and password and 2FA. Been using it for over a decade, no particular issues.

I think this new system was farmed out to some offshore developers on the cheap. Its so bad. All this ping ponging around between companies house, gov uk one login system, it sort of makes my head spin. Then the companies house one has a box, search for company: , enter company number hit return - You Are Now Logged Out.

Steaming pile of crap. We used to do good quality work in this country.