FIDO2 Frequently Asked Questions (FAQs)

This article contains frequently asked questions about FIDO2, including guidance around getting started and using FIDO2 for authentication to access NHSmail systems and applications.

Getting Started with FIDO2

I want to start using FIDO2. How can I get a security token?

If you want to start using FIDO2, please contact your Local Administrator who should be able to advise you on the process for getting a security token at your organisation. Please note that as of November 2021, FIDO2 is a new capability and some organisations may not yet have a defined plan for rolling this out to users.

Once you have a FIDO2 security token, check out the FIDO2 User Guide for helpful tips on getting started. 

I want to register my FIDO2 security token. How do I register my FIDO2 security token?

Follow this step-by-step guidance to register your FIDO2 security token in a few easy steps. There is also a How-To-Video you can watch and a ‘Getting Started with FIDO2 infographic available to help you register your FIDO2 security token.

A Local Administrator can also register a FIDO2 security token on your behalf. There is step-by-step guidance and a ‘How-To-Video’ available to Local Administrators to help with registration.

I want to use a FIDO2 security token to login to systems and applications. How do I use my FIDO2 security token?

FIDO2 is a technology-agnostic security specification. This means that a range of authenticators can be used to login to systems and applications which may vary in terms of process steps and user experience.

Most common security tokens require you to either enter a PIN and touch/tap a physical token or use biometrics (e.g. fingerprint scan) during the login process to authenticate your identity.

Prior to being able to use a FIDO2-enabled security key, you must register your key with the NHSmail platform. This can also be done by a Local Administrator on your behalf.

To support logins to desktop applications using your FIDO2 key, ensure you are using windows 10 version 2004 or above.

Can I use my FIDO2 security token on a shared device?

It is possible to use a FIDO2 security token on a shared device. For more information, read this article on using NHSmail on shared computers

What is the PIN used for?

The PIN is a shared secret between the user and the authenticator. It is stored securely on the authenticator and never sent across the network.

Biometrics (e.g. fingerprint) can also be used as an alternative to using a PIN. However, this is subject to the make and model of your authenticator. If you’re using biometrics, you will only be prompted to provide a PIN if biometric verification is not available or if biometric verification fails. 

I am creating a PIN for my FIDO2 security token. What is the minimum PIN length?

The minimum PIN length is 4 characters.

How do I know if my application does not support FIDO2?

Important Note

You will not see any specific error messages if your application does not support FIDO2. When you try to use your FIDO2 key, you will not be able to insert your PIN.

Below is an example of a user trying to log into an application using an unsupported version of windows

1. User enters their username and password during a login attempt

 

 

 

2. User selects Sign in using a FIDO2 security key

 

 

 

3. User is presented with all their registered tokens

 

 

 

4. When the user selects the token they want to use, they are not asked to enter their PIN and verify their presence. Instead, they are presented with this screen.

If the user has registered for another MFA option, they can click Sign in with other options and use Azure MFA instead.

Can I use FIDO2 with my Windows Virtual Desktop environment?

Using a FIDO2 token inside a Windows Desktop environment is currently unsupported.

Managing and Using Tokens

I want to change my token nickname. How do I edit a FIDO2 security token nickname?

If you want to change your security token nickname, you need to login to the NHSmail portal and navigate to your token management page.

  1. Sign into the NHSmail portal and navigate to your Profile page
  2. On your Profile page, select the Self-Service tab
  3. On the Self-Service page, select the Manage FIDO2 Tokens This will take you to your FIDO2 token management page, where you should be able to see a list of all your registered FIDO2 security tokens.
  4. Click Edit next to the specific security token you want to change.
  5. Enter a new nickname for the security token in the pop-up box and click Save Changes

It is important that you give the FIDO2 security token an appropriate and recognisable nickname since this will be used to identify the correct security token to use during the login process.

There is step-by-step guidance available and a ‘How-To-Video’ you can watch to help you change your FIDO2 security token nickname in a few easy steps.

I want to change my security key PIN. How do I change my FIDO2 security token PIN?

If you want to change your security key PIN from an old PIN to a new PIN, you can do this on a Windows 10 device in a few simple steps:

  1. Click on Start, go to your device Settings and select Accounts.
  2. On the Accounts page, select Sign-in options.
  3. Navigate to Security Key and select Manage.
  4. Insert the security key and touch to confirm presence when prompted.
  5. Navigate to Security Key PIN and select Change.
  6. Change your security key PIN and confirm by clicking “OK”. Once the PIN has been changed, continue to use the security key with the new PIN during future authentication attempts

There is step-by-step guidance available to help you change your FIDO2 security token PIN.

Please note that these steps might be different on other platforms or operating systems (OS). For example, Windows supports inbuilt PIN change from Windows 10 19H1 and above.

If you are using MacOS or Linux, the latest Chrome browser also supports FIDO2 PIN reset. This can be done by going to Chrome Setting -> Privacy and security -> Security -> Manage security keys.

For other methods, please refer to the specific supplier website relating to your security key.

I have forgotten my FIDO2 security token PIN. How can I reset my PIN?

If you have forgotten your FIDO2 security token PIN, there are two options available to reset your PIN on Windows 10:

1. Self-Service PIN Reset. If you have an alternative option for MFA set up on your account (e.g. Microsoft Authenticator App or second FIDO2 security token), you can reset your PIN using the following steps:

    1. Reset your security key to factory default settings on a Windows 10 device
    2. Remove your security token from your list of registered tokens in the NHSmail portal
    3. Re-register your security token with a new PIN in the NHSmail portal

2. Local Administrator Resets PIN on behalf of user. If you do not have an alternative option for MFA set up on your account, and therefore cannot login to the NHSmail portal by any other means, please contact a Local Administrator who should be able to reset your security key PIN.

    1. Local Admin resets security token back to factory settings on a Windows 10 device
    2. Local Admin removes security token from user account on the NHS Portal
    3. Local Admin/User re-registers security token with new PIN on the NHS Portal

IMPORTANT NOTE

Option 2 requires Local Administrators having access to the physical security token.

Please note that self-service PIN reset might not be available on other platforms or operating systems (OS). For example, Windows supports inbuilt PIN reset from Windows 10 19H1 and above.

If you are using MacOS or Linux, the latest Chrome browser also supports FIDO2 PIN reset. This can be done by going to Chrome Settings -> Privacy and security -> Security -> Manage security keys.

For other methods, please refer to the specific supplier website relating to your security key. 

I have registered a security token on behalf of a user. How can I securely share the security token PIN with a user?

It is recommended that Local Administrators use existing processes and best practice at your organisation to securely share PINs with users. There are several methods that could be used to securely share PINs, including:

  1. SMS to registered phone number of the user
  2. In person
  3. Via post
  4. Via encrypted email message using Egress

It is also recommended that you instruct users to change the PIN once they receive their security token and before they begin using this to login to services.

My FIDO2 token has been lost/stolen. What should I do?

If your security token has been lost or stolen, make sure to remove this token via the NHSmail portal so that it is no longer registered to your NHSmail account. This is only possible if you have a backup alternative for MFA set up on your account (e.g. Microsoft Authenticator App / secondary FIDO2 token). If you do not have a backup alternative for MFA or have any queries, contact a Local Administrator at your organisation.

IMPORTANT NOTE

It is recommended that all users have a backup alternative for MFA set up to avoid losing access to systems and applications if a FIDO2 token is misplaced or stolen.

If you need to request a new FIDO2 security token, please contact Local Administrators at your organisation to arrange this.

I am moving/leaving my current organisation. What should I do with my security token?

If you are moving or leaving your current organisation, please follow your local organisation’s leaver process and return you security token(s) as instructed. Please contact a Local Administrator at your organisation if you have any queries. 

I no longer want to use a security key. How do I remove a FIDO2 security token from my account?

Before removing a token from your account, please speak to your Local Administrator for guidance on your organisation’s removal policy.

If appropriate, follow these simple steps to remove a FIDO2 security token from your account:

  1. Sign into the NHSmail portal and navigate to your Profile page
  2. On your Profile page, select the Self-Service tab
  3. On the Self-Service page, select Manage FIDO2 Tokens. This will take you to your FIDO2 token management page, where you should be able to see a list of all your registered FIDO2 security tokens.
  4. Click Remove next to the specific security token you want to change.
  5. Select Remove in the confirmation prompt to delete the registered token.

The security token will no longer appear in the list of registered security tokens on your FIDO2 token management page. You may need to refresh the page once for this change to be reflected.

Speak to your Local Administrator for guidance on how to dispose of or re-use the security token removed from your account.

There is step-by-step guidance available and a ‘How-To-Video’ you can watch to help you remove a FIDO2 security token associated with your NHSmail account. 

How many times can I enter a PIN incorrectly before I get locked out?

There is a maximum of eight incorrect attempts before the authenticator is blocked. If the authenticator is blocked, you will need to follow steps to reset the security key to factory settings, remove the security token from relevant user account(s) and re-register the security token with a new PIN. 

Issues and Troubleshooting

Why does my FIDO2 security token not work on Internet Explorer?

FIDO2 browser support is growing, but it does not currently work on Internet Explorer. Other modern browsers, including Edge, Safari, Chrome and Firefox all support FIDO2 security tokens. For more information, see this guidance from the FIDO Alliance.

Figure 3: FIDO2 Platform/Browser Support (Source: FIDO Alliance June 2020)

How do I know if my application does not support FIDO2?

Important Note

You will not see any specific error messages if your application does not support FIDO2. When you try to use your FIDO2 key, you will not be able to insert your PIN.

Below is an example of a user trying to log into an application using an unsupported version of windows

1. User enters their username and password during a login attempt

 

 

 

2. User selects Sign in using a FIDO2 security key

 

 

 

3. User is presented with all their registered tokens

 

 

 

4. When the user selects the token they want to use, they are not asked to enter their PIN and verify their presence. Instead, they are presented with this screen.

If the user has registered for another MFA option, they can click Sign in with other options and use Azure MFA instead.

Can I use FIDO2 with my Windows Virtual Desktop environment?

Using a FIDO2 token inside a Windows Virtual Desktop environment is currently not supported.

I’m able to register one FIDO2 security token multiple times to the same user. Why is this happening?

It is currently possible to register one token multiple times to the same user. The token can be registered under different nicknames but can only have one PIN stored at any time.

I’m not able to use my FIDO2 security token to login. Why is my security token not working?

If your FIDO2 security token is not working, please try the following:

  1. Check if you have internet connectivity
  2. Check if you can use FIDO2 when signing in from a different browser
  3. If you have a backup MFA option set up on your account, please login to the NHSmail Portal and follow the steps to remove and re-register the FIDO2 security token.

If none of the above resolves the issue, there may be a problem with the hardware. Please contact a Local Administrator who should be able to help investigate further. 

I’m trying to register the FIDO2 security token. Why is the registration page in the NHSmail Portal is not available?

If you’re having problems viewing the registration page in the NHSmail portal, this may be because you have lost internet connectivity. Please try the following:

  1. Try refreshing the page
  2. Check network connectivity to see if you can connect to any other website
  3. Try using another browser to register the token

If none of the above resolves the issue, please contact a Local Administrator for additional support

I’m trying to authenticate with my FIDO2 security token. Why is the ADFS page not available?

If you’re having problems authenticating with your FIDO2 security token, this might be because you have lost internet connectivity. Please try the following:

  1. Try refreshing the page
  2. Check network connectivity
  3. Try using another browser

If none of the above resolves the issue, please contact a Local Administrator for additional support.

FIDO2 Authentication

What is FIDO2?

The Fast Identity Online (FIDO) Alliance was launched in 2013 with a mission to define ‘authentication standards to help reduce the world’s over-reliance on passwords’ and to develop technology-agnostic security specifications for strong authentication. FIDO2 is the newest set of specifications developed in collaboration with the World Wide Web Consortium (W3C).

FIDO2 uses public-key cryptography to provide secure and convenient authentication technology. For every account that uses a FIDO2 security key, there is a public and private key that enables services to validate the identity of users and their security key.

FIDO2 authentication enables password-only logins to be replaced with secure and fast login experiences, leveraging common devices, to authenticate across websites and applications in both mobile and desktop environments.

Figure 1: FIDO2 Overview (Source: FIDO Alliance July 2020)

What is a FIDO2 security token?

A FIDO2 security token is a secure, hardware-based authentication method. FIDO2 certified authenticators can take the form of anything from mobile devices to wearables and hardware tokens. One of the most common FIDO2 tokens is a security key that supports USB and Near Field Communication (NFC).

Figure 2: Different types of FIDO2 security keys

How can I use a FIDO2 security token to login to systems and applications?

FIDO2 is available as an option for multi-factor authentication (MFA) to NHSmail users. This provides you with a secure way of logging in to systems and applications.

The NHSmail platform and your authenticator conduct a challenge-response to verify that you are in possession of the correct private key. Each registration uses a unique key pair, and the private key never leaves your security token. When you authenticate with FIDO2 your identity is verified with a simple action, such as scanning a fingerprint, using a PIN and/or touching the security key.

Prior to being able to use a FIDO2-enabled security key, you must register your key with the NHSmail platform. This can also be done by a Local Administrator on your behalf. 

Which applications can be accessed using a FIDO2 security token?

You will be able to access all applications and systems integrated with the Azure Active Directory underpinning the NHSmail service. This includes common applications used daily, such as Microsoft Teams and Exchange Online. It can also be used for all other applications that are part of the NHSmail service such as Pulse and Windows 10 Virtual Desktop. 

Can I use a FIDO2 key as another option for MFA?

Yes, a FIDO2 key can be used as an option for MFA.

It is recommended that you register a backup option for MFA in the event of a security token being misplaced or stolen to avoid losing access to systems and applications. A second FIDO2 security token or Microsoft Authenticator App can be setup as a possible backup option for MFA.

Other

Where can I submit feedback on my experience using FIDO2 for authentication?

If you want to share feedback on your experience using FIDO2 please contact feedback@nhs.net or submit an idea to the Your Voice forum. 

Help & Support

For any issues or queries, please contact a Local Administrator at your organisation in the first instance. If the problem persists and/or issue remains unsolved, please contact the NHSmail Helpdesk via helpdesk@nhs.net or 0333 200 1133.

Useful links

 

Updated on 27/10/2021

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top