Date: 2023-08-09
Accepted
Following ADR015: Use an Identity Provider for authentication and implement authorisation we looked into alternatives to GOV.UK Signon.
NCSC guidance on Enterprise authentication policy states:
Where possible, reduce reliance on passwords and implement passwordless authentication
and there is NCSC guidance on one time passwords.
UK Government Security Single Sign-On was considered, but is still in an "Alpha" phase.
Auth0 offers Passwordless Authentication Methods so was also considered, and a DPIA (Data Protection Impact Assessment) was carried out.
User research on authentication showed that participants were comfortable using a passwordless process and preferred the Auth0 journey.
We will use Auth0 passwordless authentication with email to authenticate users who access GOV.UK Forms.
(Note that this is only for users creating and managing forms. Users who fill in forms are currently unauthenticated.)
We make use of the Auth0 OmniAuth Strategy gem.
Auth0 offers limited customisation of the login pages, which may restrict use of the GOV.UK Design System.
We need to configure Auth0 to use Amazon SES as an external SMTP email provider (we decided to use SES as part of ADR019: Use Amazon SES).
The Auth0 DPIA needs to be reviewed and updated when GOV.UK Forms moves into Public Beta phase and beyond.
An Enterprise Subscription may be required in the future, e.g. for SLA and support, or to use advanced features.
We can decide to use a different OIDC-compatible identity provider in the future, e.g. to align with other government systems.