On 3 March 2026, the UK government published a new standard on “vouching” as evidence of someone’s identity.
It’s a small piece of guidance, but it signals the direction of travel: digital identity is moving towards controlled evidence and controlled reuse, not a single compulsory credential.
Vouching is a familiar idea in everyday life. Someone reputable says, “yes, I know this person”, and you trust them.
The government is trying to make vouching legible and auditable: who can vouch, who can’t, what must be recorded, where it fits in an identity check, and how long the outcome stays valid.
I think it’s a useful moment to step back and look at where the UK is going with digital ID more broadly, and what that direction means for organisations trying to balance risk, inclusion, privacy, and customer experience.
It’s also a good way to explain where our AssureScore indicator fits, because it was built for the same underlying problem: how to apply stronger checks only when they are justified, and keep journeys moving with less friction and less handling of personal data.
What the Vouching Standard Actually Does
It Applies Standards to “Trust Me”
Vouching guidance defines a vouch as a formal declaration from a third party (the voucher) that they know the person (the vouchee) and can confirm they are the claimed identity.
It also draws boundaries that matter in regulated identity work: a vouch is not a character reference, and it’s not a statement about someone’s financial position. It is specifically about identity.
It Applies Guardrails to Vouching
The guidance introduces guardrails that make vouching usable in interactions between organisations and consumers:
The voucher must already know the claimed identity.
The voucher must be in a recognised position of authority and must have proved their own identity to at least a medium level of confidence.
You must not accept a vouch from anyone who is related to the claimed identity, is in a relationship with them, or lives at the same address.
It also makes clear that vouching is not a substitute for every part of an identity check. For example, a vouch cannot be used for certain identity fraud checks.
It Sets a Standard for Outcome Sharing
The guidance also deals with what happens when a vouch outcome moves between organisations.
If you plan to share a vouch outcome, you must secure it so recipients can confirm whether it is genuine or valid, for example using cryptographic security.
It also sets a clear shelf life: a vouch outcome can only be accepted for a maximum of 6 months after it has been created, and the guidance suggests you can set an expiry date on the outcome you share.
That combination - constraints, records, and a time limit - turns “trust” into something you can reuse without turning it into a blank cheque.
What It Signals About UK Digital ID
This Is About Legitimacy as Much as Technology
If you zoom out, the wider UK digital ID debate has been moving in the same direction as vouching. Less focus on one route, more focus on what counts as evidence, and how reuse is controlled.
People do want simpler, safer digital journeys.
But they also react strongly when identity feels like infrastructure that could expand beyond its original purpose.
When boundaries aren’t understood, trust in the programme becomes the limiting factor, regardless of how good the underlying technology is.
The “Mandatory Credential” Backtrack
Nowhere has the importance of public trust been more apparent than in the government’s backtracking around the digital ID scheme.
On 26 September 2025, the government announced a national digital ID scheme and said it would be mandatory for Right to Work checks by the end of this Parliament.
A petition opposing digital ID later closed with 2,984,193 signatures and was debated in Westminster Hall on 8 December 2025.
On 16 January 2026, the mandatory element had been dropped following political and public backlash, while digital Right to Work checks remained the direction of travel, with alternatives such as e-passports also accepted.
This is not a loss for digital identity - it’s a shift in line with the same pattern the vouching standard is pushing towards: more routes, clearer boundaries, and outcomes you can audit and evidence.
Standards and Reuse Are the Centre of Gravity
You can see the underlying design logic here.
Not “one identity to rule them all”, but a system that defines what evidence looks like, what can be reused, for how long, and under what controls.
That’s exactly what we’ve been building in AssureScore® - a trust indicator designed to help organisations make proportionate decisions about identity and step-up checks, based on the same underlying principles of inherited trust.
It’s not a digital ID card and it’s not meant to replace statutory routes.
It’s meant to answer a question that most journeys still struggle with: is this interaction routine enough to keep moving, or risky enough to justify stronger evidence right now?
Vouching is one form of structured evidence. AssureScore is the decision layer that helps you choose when to reach for structured evidence at all, built on the same question - “who else trusts this person?” - but in a privacy-preserving way, at scale.
This decision-layer approach is underpinned by our European patent (EP 3 482 546 B1), covering the use of trust metrics to determine proportionate security levels.
The Design Lesson for Organisations
Start With What You’re Protecting
Once you accept that identity is heading towards controlled evidence rather than a single credential, the design question changes.
It becomes less about “what’s the strongest check we can run?” and more about “what’s proportionate in this moment?”
Many identity journeys still start with the same unspoken assumption: collect everything, just in case.
That’s the easiest thing to defend internally, until you see what it does to cost, friction, inclusion, and data exposure at scale.
A better starting point is purpose. What’s the consequence of being wrong here, and what’s the lightest proof that can still do the job?
The ICO’s data minimisation principle is a practical anchor: collect what is adequate, relevant, and limited to what is necessary.
Make Step-Up Normal and Blanket Checks Rare
Stronger evidence has a place, but it should be a response to risk, not the default starting point.
If your journey can only be “high assurance” or “no access”, you end up building processes for edge cases and forcing everyone through them.
Over time, that becomes an operational tax and a customer tax.
Most importantly, it creates a quiet bias towards the “perfect user” who has the right documents, the right device, and the confidence to complete the process without help.
A step-up model accepts something more realistic: start light, then ask for more only when the downside is significant.
Make Your Boundaries Visible and Defensible
Users should be able to see what you asked for, why you asked, and what would trigger a step-up check.
In too many journeys, users are told “you failed verification”, but not told why, or what would resolve it.
Your teams should be able to point to the same logic when something is challenged or investigated.
"Vouching is interesting because it treats trust as something you can structure and reuse, not something you simply declare.
That’s the direction identity needs to take if it’s going to scale without turning every journey into a document upload."
Paul Holland, Founder, Beyond Encryption
What This Looks Like in Real Journeys
Keep Routine Journeys Moving for Known Relationships
Most digital interactions are ordinary: viewing documents, receiving updates, confirming details, asking a simple question.
If a relationship is stable, repeatedly forcing high-friction identity steps tends to punish the safe majority.
Step Up at the Moments Fraud Clusters Around
Impersonation and account takeover tend to show up in the same places: payment detail changes, account recovery, address changes, high-value amendments, and requests to redirect sensitive information.
Those are the moments where step-up checks make sense, because the downside of being wrong is real.
And where someone does not have documents, a controlled vouching-style route can be a practical inclusion bridge, as long as it’s recorded properly and limited to what it is meant to prove.
Make Step-Up Decisions Easier to Explain Later
The point of more dynamic approach to identity checks is not to avoid verification. It’s to make it more targeted.
If you can’t explain why you stepped up, you probably shouldn’t be collecting extra data.
If you can explain it, you can record the reason, defend the choice, and show the user the boundary.
FAQs
Is the UK Digital ID Programme Still Happening?
Yes. The government’s direction of travel remains digital identity and digital Right to Work checks.
The key change reported in the House of Commons Library briefing is stepping back from making one government-issued digital ID the mandatory route for Right to Work checks.
What Does “Vouching” Mean in the New Guidance?
It is a formal declaration from a third party that they know someone as the claimed identity and are willing to confirm that identity.
The guidance sets guardrails on who can vouch and what must be recorded, and it limits reuse to a defined period.
Is AssureScore a Digital ID Card?
No. AssureScore is an identity-confidence indicator designed to support step-up decisions in customer journeys.
It is not a universal credential, and it is not designed to act as a gatekeeper for statutory rights or government services.
Paul, CEO and Founder of Beyond Encryption, is an expert in digital identity, fintech, cybersecurity, and business. He developed Webline, a leading UK comparison engine, and now drives Mailock, Nigel, and AssureScore to help regulated businesses secure customer data.
Paul Holland
.svg)
Previous post