FIDO2 is available as an option for multi-factor authentication (MFA) to NHSmail users. This gives users a secure way for logging in to systems and applications.
This article provides all the information users need for getting started with FIDO2 security tokens, including:
- Registering your FIDO2 security token
- Editing a security token nickname
- Removing a security token
- Changing a security token PIN
There is also some useful guidance around Frequently Asked Questions and Help & Support Channels available below.
If you want to get a FIDO2 security token, please contact a Local Administrator for more information about how to obtain a security token at your organisation. Before you can begin using FIDO2 to login with MFA, you will need to register your security token via the NHSmail portal.
Registering your FIDO2 security token
This section includes step-by-step guidance for registering your FIDO2 security token. There is also a ‘How-To-Video’ available to watch.
1. When you have a security token that you want to register, please navigate to the NHSmail portal and select Login in the top right of the page.
2. Login to the NHSmail portal using your NHSmail username and password (example@nhs.net).
3. Navigate to your Profile
4. On your Profile page select the Self-Service tab.
5. On the Self-Service page select the Manage FIDO2 Tokens This will take you to the FIDO2 security token registration and management page.
6. Select Register New Token and follow the instructions on your screen.
7. A window will appear asking you to confirm you want to set up your security key. Click OK.
8. Insert your security key into the USB port when prompted.
9. Enter a new security key PIN for this token and click OK to confirm. Please note the minimum length is 4 characters. This PIN will be required to unlock and use the security key during future authentication attempts.
If the FIDO2 security key has already been set up with a PIN, you will need to enter the existing PIN to be able to register the security key. It is possible to change your security key PIN from an old PIN to a new PIN and it is recommended that you do this when logging in for the first
10. Touch the security token to confirm your presence.
Please ensure you do not click on any other page or open other applications until you have touched your security token to confirm your presence. Doing so would require you to restart the token registration process.
11. Enter a nickname for the security token and click Submit to confirm your choice.
This nickname will be used to identify the correct security key to use during the login process, so it is important that you give the security key an appropriate and recognisable nickname.
12. A green “success” message in the top right of the page will indicate a successful registration of the security token. The registered security token will also appear in your list of registered tokens once the page has been refreshed.
13. Upon successful registration, you will be able to start using your FIDO2 security token as an option for MFA to securely access systems and applications.
During the registration process, it is recommended that you set up a backup alternative for MFA to avoid losing access to systems and applications in the event of your FIDO2 security token getting misplaced or stolen. For example, you may already have signed up to use the Microsoft Authenticator App or you may need to register a second security token. It is advised to contact your organisation’s Local Administrator team if you have any queries.
For any issues when getting started please contact a Local Administrator at your organisation in the first instance, or check out Frequently Asked Questions for more helpful tips.
Managing your FIDO2 security token
This section includes guidance on how to:
- Edit a security token nickname
- Remove a security token that is registered to you
- Change the PIN on your FIDO2 security token
Editing a security token nickname
1. Login to the NHSmail portal and navigate to your Profile
2. On your Profile page select the Self-Service tab.
3. On the Self-Service page select Manage FIDO2 Tokens. This will take you to the FIDO2 security token management page, where you should be able to see all your registered FIDO2 security tokens.
4. Click Edit next to the specific security token you want to change.
5. Enter a new nickname for the security token in the pop-up box and click Save Changes.
This nickname will be used to identify the correct security key to use during the login process, so it is important to give the security key an appropriate and recognisable nickname.
6. A green “success” message is shown in the top right corner to confirm that the nickname has been updated. You may need to refresh the page to see the changes.
Removing a security token
1. Login to the NHSmail portal and navigate to your Profile page.
2. On your Profile page select the Self-Service tab.
3. On the Self-Service page select Manage FIDO2 Tokens. This will take you to the FIDO2 security token management page, where you should be able to see all your registered FIDO2 security tokens.
4. Click Remove next to the specific security token you want to delete.
5. Select Remove in the confirmation prompt to delete the registered token.
6. The token will no longer appear in the list of registered security tokens your FIDO2 token management page. You may need to refresh the page once for this change to be reflected.
Changing a security token PIN
Changing a FIDO2 security token PIN is not done through the NHSmail portal.
If you do not have access to a Windows 10 device, please refer to Frequently Asked Questions for additional guidance.
You can take the following steps on a Windows 10 device to change your security token PIN from an old PIN to a new PIN.
1. Click on Start, go to Windows Settings and select Accounts.
2. When on the Accounts page, select Sign-in options.
3. Navigate to Security Key and select Manage.
4. Insert your security key and touch to confirm your presence when prompted.
5. Navigate to Security Key PIN and select Change.
Do not select Reset Security Key. This will reset your security key back to factory settings and if you do not have an alternative option for MFA set up, this will prevent you from being able to log back into the NHSmail portal to re-register the security key.
If you need to reset your PIN and do not have an alternative option for MFA set up (or if you are unsure), please contact a Local Administrator at your organisation who should be able to help you reset the PIN and re-register your security token.
If you do have an alternative option for MFA set up, you can do this yourself by selecting Reset Security Key and then logging in to the NHS Portal to remove your token before re-registering with a new PIN.
6. Change your security key PIN by entering the old PIN once and new PIN twice. The minimum length is 4 characters. Confirm by clicking OK. Once the PIN has been changed, continue to use the security key with the new PIN during future authentication attempts.
Help & Support
For any issues or queries, please visit our Frequently Asked Questions for some helpful tips or contact a Local Administrator at your organisation for additional support.
Useful links
- For more information check out this easy to read FIDO2 User Guide
- For more information about registering and managing tokens check out this ‘how-to-video’
- For more information about Multi-Factor Authentication (MFA)
- For more information about FIDO2 at the NHS and recent updates please see here
- For more information about how to find your Local Administrator
| Last Reviewed Date | 27/09/2022 |
