FIDO2 provides NHSmail users with an additional option for multi-factor authentication (MFA). FIDO2 authentication enables password-only logins to be replaced with secure and fast login experiences, leveraging common devices, to authenticate across websites and applications in both mobile and desktop environments.
What is FIDO2?
The Fast Identity Online (FIDO) Alliance was launched in 2013 with a mission to define ‘authentication standards to help reduce the world’s over-reliance on passwords’ and to develop technology-agnostic security specifications for strong authentication. FIDO2 is their newest set of specifications and uses public-key cryptography to provide secure and convenient authentication technology.
Figure 1: Overview of FIDO2 specifications (FIDO Alliance)
What is a FIDO2 security key?
A FIDO2 security key or token is a secure, hardware-based authentication method that can be used to login to systems and applications. NHSmail users can choose to use security keys as an option for MFA.
FIDO2 certified authenticators can take the form of anything from mobile devices to wearables and hardware tokens. One of the most common FIDO2 tokens is a security key that supports USB and Near Field Communication (NFC)
Figure 2: Example of different types of FIDO2 security keys
Prior to using, users must register their security key via the NHSmail portal When users authenticate, their identity can then be verified with a simple action such as scanning a fingerprint or touching the security key. The NHSmail platform and the user’s authenticator conduct a challenge-response to verify that the user is in possession of the correct private key. Each registration uses a unique key pair, and the private key never leaves the user’s security key.
Significant benefits for NHS organisations and staff
|Replace password-only logins with strong multi-factor authentication using a hardware authenticator to protect against phishing, password theft and replay attacks.|
|Staff do not need to remember yet another password to securely login to common systems and applications.|
|Staff can choose to authenticate with FIDO2 as another option for MFA, in addition to other methods such as the Microsoft Authenticator App.|
|Staff can register FIDO2 security tokens and make changes using self-service via the NHSmail Portal.|
|Support for open authentication standards provides flexibility and more choice to NHS organisations and their users.|
How to get started
For more information on how to get started with FIDO2, you will need to contact a Local Administrator at your organisation who should be able to tell you more about the process for getting a security token. Before you can begin using FIDO2 for MFA you will need to register your security token via the NHSmail Portal.
Please note that as of November 2021, FIDO2 is a new capability and some organisations may not yet have a plan in place to roll this out to their users.