If you want to start using FIDO2, please contact your Local Administrator who should be able to advise you on the process for getting a security token at your organisation.

Once you have a FIDO2 security token, check out the FIDO2 User Guide for helpful tips on getting started. 

Follow this step-by-step guidance to register your FIDO2 security token in a few easy steps. There is also a ‘How-To-Video’ you can watch and a ‘Getting Started with FIDO2’ infographic available to help you register your FIDO2 security token.

A Local Administrator can also register a FIDO2 security token on your behalf. There is step-by-step guidance and a ‘How-To-Video’ available to Local Administrators to help with registration.

FIDO2 is a technology-agnostic security specification. This means that a range of authenticators can be used to login to systems and applications which may vary in terms of process steps and user experience.

Most common security tokens require you to either enter a PIN and touch/tap a physical token or use biometrics (e.g. fingerprint scan) during the login process to authenticate your identity.

Prior to being able to use a FIDO2-enabled security key, you must register your key with the NHSmail platform. This can also be done by a Local Administrator on your behalf.

To support logins to desktop applications using your FIDO2 key, ensure you are using windows 10 version 2004 or above. Please refer to the FIDO2 Admin Guide for additional guidance on the compatibility of FIDO2 tokens with different device types and versions.

It is possible to use a FIDO2 security token on a shared device. For more information, read this article on using NHSmail on shared computers. 

The PIN is a shared secret between the user and the authenticator. It is stored securely on the authenticator and never sent across the network.

Biometrics (e.g. fingerprint) can also be used as an alternative to using a PIN. However, this is subject to the make and model of your authenticator. If you’re using biometrics, you will only be prompted to provide a PIN if biometric verification is not available or if biometric verification fails. 

The minimum PIN length is 4 characters.

1. User enters their username and password during a login attempt

2. User selects Sign in using a FIDO2 security key

3. User is presented with all their registered tokens

4. When the user selects the token they want to use, they are not asked to enter their PIN and verify their presence. Instead, they are presented with this screen.

If the user has registered for another MFA option, they can click Sign in with other options and use Azure MFA instead.

Using a FIDO2 token inside a Windows Desktop environment is currently unsupported.

If you want to change your security token nickname, you need to login to the NHSmail portal and navigate to your token management page.

1. Sign into the NHSmail portal and navigate to your Profile page
2. On your Profile page, select the Self-Service tab
3. On the Self-Service page, select the Manage FIDO2 Tokens This will take you to your FIDO2 token management page, where you should be able to see a list of all your registered FIDO2 security tokens.
4. Click Edit next to the specific security token you want to change.
5. Enter a new nickname for the security token in the pop-up box and click Save Changes

It is important that you give the FIDO2 security token an appropriate and recognisable nickname since this will be used to identify the correct security token to use during the login process.

There is step-by-step guidance available and a ‘How-To-Video’ you can watch to help you change your FIDO2 security token nickname in a few easy steps.

If you want to change your security key PIN from an old PIN to a new PIN, you can do this on a Windows 10 device in a few simple steps:

1. Click on Start, go to your device Settings and select Accounts.
2. On the Accounts page, select Sign-in options.
3. Navigate to Security Key and select Manage.
4. Insert the security key and touch to confirm presence when prompted.
5. Navigate to Security Key PIN and select Change.
6. Change your security key PIN and confirm by clicking “OK”. Once the PIN has been changed, continue to use the security key with the new PIN during future authentication attempts

There is step-by-step guidance available to help you change your FIDO2 security token PIN.

Please note that these steps might be different on other platforms or operating systems (OS). For example, Windows supports inbuilt PIN change from Windows 10 19H1 and above.

If you are using MacOS or Linux, the latest Chrome browser also supports FIDO2 PIN reset. This can be done by going to Chrome Setting -> Privacy and security -> Security -> Manage security keys.

For other methods, please refer to the specific supplier website relating to your security key.

If you have forgotten your FIDO2 security token PIN, there are two options available to reset your PIN on Windows 10:

1. Self-Service PIN Reset. If you have an alternative option for MFA set up on your account (e.g. Microsoft Authenticator App or second FIDO2 security token), you can reset your PIN using the following steps:

1. 1. Reset your security key to factory default settings on a Windows 10 device
   2. Remove your security token from your list of registered tokens in the NHSmail portal
   3. Re-register your security token with a new PIN in the NHSmail portal

2. Local Administrator Resets PIN on behalf of user. If you do not have an alternative option for MFA set up on your account, and therefore cannot login to the NHSmail portal by any other means, please contact a Local Administrator who should be able to reset your security key PIN.

1. 1. Local Admin resets security token back to factory settings on a Windows 10 device
   2. Local Admin removes security token from user account on the NHS Portal
   3. Local Admin/User re-registers security token with new PIN on the NHS Portal

Please note that self-service PIN reset might not be available on other platforms or operating systems (OS). For example, Windows supports inbuilt PIN reset from Windows 10 19H1 and above.

If you are using MacOS or Linux, the latest Chrome browser also supports FIDO2 PIN reset. This can be done by going to Chrome Settings -> Privacy and security -> Security -> Manage security keys.

For other methods, please refer to the specific supplier website relating to your security key. 

It is recommended that Local Administrators use existing processes and best practice at your organisation to securely share PINs with users. There are several methods that could be used to securely share PINs, including:

1. SMS to registered phone number of the user
2. In person
3. Via post
4. Via encrypted email message using Egress

It is also recommended that you instruct users to change the PIN once they receive their security token and before they begin using this to login to services.

If your security token has been lost or stolen, make sure to remove this token via the NHSmail portal so that it is no longer registered to your NHSmail account. This is only possible if you have a backup alternative for MFA set up on your account (e.g. Microsoft Authenticator App / secondary FIDO2 token). If you do not have a backup alternative for MFA or have any queries, contact a Local Administrator at your organisation.

If you need to request a new FIDO2 security token, please contact Local Administrators at your organisation to arrange this.

If you are moving or leaving your current organisation, please follow your local organisation’s leaver process and return you security token(s) as instructed. Please contact a Local Administrator at your organisation if you have any queries. 

Before removing a token from your account, please speak to your Local Administrator for guidance on your organisation’s removal policy.

If appropriate, follow these simple steps to remove a FIDO2 security token from your account:

1. Sign into the NHSmail portal and navigate to your Profile page
2. On your Profile page, select the Self-Service tab
3. On the Self-Service page, select Manage FIDO2 Tokens. This will take you to your FIDO2 token management page, where you should be able to see a list of all your registered FIDO2 security tokens.
4. Click Remove next to the specific security token you want to change.
5. Select Remove in the confirmation prompt to delete the registered token.

The security token will no longer appear in the list of registered security tokens on your FIDO2 token management page. You may need to refresh the page once for this change to be reflected.

Speak to your Local Administrator for guidance on how to dispose of or re-use the security token removed from your account.

There is step-by-step guidance available and a ‘How-To-Video’ you can watch to help you remove a FIDO2 security token associated with your NHSmail account. 

There is a maximum of eight incorrect attempts before the authenticator is blocked. If the authenticator is blocked, you will need to follow steps to reset the security key to factory settings, remove the security token from relevant user account(s) and re-register the security token with a new PIN. 

FIDO2 browser support is growing, but it does not currently work on Internet Explorer. Other modern browsers, including Edge, Safari, Chrome and Firefox all support FIDO2 security tokens. For more information, see this guidance from the FIDO Alliance.

Figure 3: FIDO2 Platform/Browser Support (Source: FIDO Alliance June 2020)

1. User enters their username and password during a login attempt

2. User selects Sign in using a FIDO2 security key

3. User is presented with all their registered tokens

4. When the user selects the token they want to use, they are not asked to enter their PIN and verify their presence. Instead, they are presented with this screen.

If the user has registered for another MFA option, they can click Sign in with other options and use Azure MFA instead.

Using a FIDO2 token inside a Windows Virtual Desktop environment is currently not supported.

It is currently possible to register one token multiple times to the same user. The token can be registered under different nicknames but can only have one PIN stored at any time.

If your FIDO2 security token is not working, please try the following:

1. Check if you have internet connectivity
2. Check if you can use FIDO2 when signing in from a different browser
3. If you have a backup MFA option set up on your account, please login to the NHSmail Portal and follow the steps to remove and re-register the FIDO2 security token.

If none of the above resolves the issue, there may be a problem with the hardware. Please contact a Local Administrator who should be able to help investigate further. 

If you’re having problems viewing the registration page in the NHSmail portal, this may be because you have lost internet connectivity. Please try the following:

1. Try refreshing the page
2. Check network connectivity to see if you can connect to any other website
3. Try using another browser to register the token

If none of the above resolves the issue, please contact a Local Administrator for additional support

If you’re having problems authenticating with your FIDO2 security token, this might be because you have lost internet connectivity. Please try the following:

1. Try refreshing the page
2. Check network connectivity
3. Try using another browser

If none of the above resolves the issue, please contact a Local Administrator for additional support.

The Fast Identity Online (FIDO) Alliance was launched in 2013 with a mission to define ‘authentication standards to help reduce the world’s over-reliance on passwords’ and to develop technology-agnostic security specifications for strong authentication. FIDO2 is the newest set of specifications developed in collaboration with the World Wide Web Consortium (W3C).

FIDO2 uses public-key cryptography to provide secure and convenient authentication technology. For every account that uses a FIDO2 security key, there is a public and private key that enables services to validate the identity of users and their security key.

FIDO2 authentication enables password-only logins to be replaced with secure and fast login experiences, leveraging common devices, to authenticate across websites and applications in both mobile and desktop environments.

Figure 1: FIDO2 Overview (Source: FIDO Alliance July 2020)

A FIDO2 security token is a secure, hardware-based authentication method. FIDO2 certified authenticators can take the form of anything from mobile devices to wearables and hardware tokens. One of the most common FIDO2 tokens is a security key that supports USB and Near Field Communication (NFC).

Figure 2: Different types of FIDO2 security keys

FIDO2 is available as an option for multi-factor authentication (MFA) to NHSmail users in addition to the Microsoft Authenticator app, text, or phone call. This provides you with a secure way of logging in to systems and applications.

The NHSmail platform and your authenticator conduct a challenge-response to verify that you are in possession of the correct private key. Each registration uses a unique key pair, and the private key never leaves your security token. When you authenticate with FIDO2 your identity is verified with a simple action, such as scanning a fingerprint, using a PIN and/or touching the security key.

Prior to being able to use a FIDO2-enabled security key, you must register your key with the NHSmail platform. This can also be done by a Local Administrator on your behalf. 

You will be able to access all applications and systems integrated with the Azure Active Directory underpinning the NHSmail service. This includes common applications used daily, such as Microsoft Teams and Exchange Online. It can also be used for all other applications that are part of the NHSmail service such as Pulse and Windows 10 Virtual Desktop. 

FIDO2 tokens are currently not considered to be a “core” MFA option. They can be used as a workaround to by-pass MFA prompts once a core MFA method has been set up on a user account.  

It is included in the future roadmap that FIDO2 tokens will become a core option, but there are currently no dates around this.

If you want to share feedback on your experience using FIDO2 please contact feedback@nhs.net or submit an idea to the Your Voice forum.