Getting Started with MFA

 

What is Multi-Factor Authentication (MFA)?

Normally you use your email address and password to log into your NHSmail account. Multi-factor authentication (MFA) is an additional way of checking that it is really you when you log in to your account.

In addition to your email address and password, you will need to set up a second form of authentication, such as an authentication app on your mobile phone, text message, phone call or FIDO2 token. This second layer of security is designed to prevent anyone but you from accessing your account, even if they know your password.

Why is MFA important to the NHS?

Cyberattacks on electronic health records and other systems pose a risk to patient privacy because hackers could access sensitive information, potentially causing harm to patient safety and care delivery. Hackers can use ransomware viruses to hold medical records or devices hostage, risking your access to vital tools and information.

 

  • Up to 80% of data breaches can be prevented by simple actions like enabling MFA – Source: DBIR, 2020
  • Over 93% of healthcare organisations experienced a data breach from 2017 to 2020 – Source: Herjavec Group, 2020
  • More than 99.9% of accounts compromised by cyber attacks can be blocked by using MFA – Source: Microsoft, 2022

What are the benefits of MFA?

  • Keeps any patient data in a more protected environment
  • Helps you gain access to your account should you forget your password
  • Helps protect NHS reputation
  • Provides increased protection against cyber attacks
  • Checks if an attempt is made to access your account from an unusual location or device

What are my authentication options for MFA?

There are four options available that you can choose from to authenticate your account: mobile app, text message, phone call orFIDO2 token. The recommended option by Microsoft is the mobile app given is the more secure one in case your mobile phone is lost or stolen it would be harder to access and generate the approval on the app.

  • Authentication App: Download the Microsoft Authenticator app to your smartphone to verify your sign in or to get a verification code.
  • Text message: A text message (SMS) is sent to the mobile phone number registered containing a verification code.
  • Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad.
  • FIDO2: Use FIDO2 for MFA to sign in with a choice of security keys available and supported.

You should enable MFA using mobile app, text message, phone call or FIDO2 token in addition to using an NHS Smartcard for security purposes. If using an NHS Smartcard in addition to another MFA option, you won’t be challenged for MFA.

How do I set up MFA?

To set up MFA you can start by self-enrolling [go to 1.1 Self-Enrol Steps] or by being prompted on the NHS Portal login page.

After this, you will need to select your authentication method and follow the steps below and / or watch the videos to learn how to enrol for MFA.

Note: Remember to always register an alternative method of multi-factor authentication (MFA) for emergencies, such as an alternative mobile phone number or set up the Microsoft Authenticator app on another mobile device.

If you are using a mobile browser to enrol in MFA the steps should follow the same as for desktop browser for all methods, except for Microsoft Authenticator App.

1.1 Self-Enrol

Download the full Step by Step Guidance for Self Enrol

Follow the steps below to enrol in MFA:

  • Step 1: Once Multi-Factor Authentication (MFA) is enabled on your account, sign in with your NHSmail account to begin the set up process at https://portal.nhs.net/
  • Step 2: Click ‘Profile’ in the navigation bar at the top of the screen and select ‘My Profile’ from the drop-down menu
  • Step 3: From ‘My profile’ page, click on ‘Self-Service
  • Step 4: Select ‘Self-enrol’ for MFA
  • Step 5: Click ‘Confirm’ to enable the MFA
  • Step 6: The following success message will be displayed: ‘success: MFA enabled successfully for nhsmailaccount@nhs.net’.

Note: Now that MFA is enabled on the account the authentication method (Mobile app, call, text message or FIDO2 token) requires to be set up. Please, select the method and follow the steps.

1.2 Microsoft Authenticator App

To register for MFA with the Microsoft Authenticator App, watch the video above or follow the steps below

Download the full Step by Step Guidance for Microsoft Authenticator App

Follow the steps below to enrol in MFA:

  • Step 1: Once Multi-Factor Authentication (MFA) is enabled on your account, sign in with your NHSmail account to begin the set up process at https://portal.nhs.net/
  • Step 2: Select ‘Click me to enrol for Multi-Factor Authentication’ to proceed
  • Step 3: Once redirected to this page, select ‘Next’ to start the MFA set up process
  • Step 4: Click ‘Download Now’ to open a new window with the QR code to download the Microsoft Authenticator App
  • Step 5: Scan the QR code that is displayed with the camera on your mobile phone, pointing your mobile phone at the QR code (for Android use the QR code displayed on the left side and for iPhone scan the code on the right side). Then tap on the pop-up banner or QR code icon that appears on your mobile phone screen to be directed to download the Microsoft Authenticator App on your mobile phone
  • Step 6: Click ‘Get’ or ‘Install’ to download the Microsoft Authenticator app on your mobile phone and then click ‘Open’
  • Step 7: Click ‘Open’ to launch the Microsoft Authenticator app on your mobile phone
  • Step 8: After downloading the Microsoft Authenticator App on your mobile phone click ‘Next’
  • Step 9: Open the Microsoft Authenticator App on your mobile phone to set up and then click ‘Next’
  • Step 10: On this screen, open your Microsoft Authenticator App on your mobile device and follow the next steps
  • Step 11: Tap the ‘+’ or ‘+ Add account’ icon to add an account and continue the enrolment process
  • Step 12: On your mobile device select ‘Work or school account’
  • Step 13: A pop-up box will appear on your Microsoft Authenticator App screen, click ‘Scan QR code’
  • Step 14: On the Microsoft Authenticator App screen a QR code reader will appear. Point the mobile device to the screen and scan the QR code
  • Step 15: Click ‘Next’ to be directed to the next step and continue the enrolment process
  • Step 16: Following the approval on the Microsoft Authenticator App this screen will appear – no action needed in this time
  • Step 17: A pop-up box will appear on your Microsoft Authenticator App screen, select ‘Approve’
  • Step 18: After approving the notification in your mobile phone app you will receive the following message ‘Notification approved’, click ‘Next’
  • Step 19: Insert a password name of at least 8 characters and then click ‘Next’. Note: The App password is required for legacy applications that are not supported by MFA.
  • Step 20: After creating a password name you will be provided with a key password – store this password in a safe place and click ‘Done’
  • Step 21: This message will confirm that you have finished your Microsoft Authenticator App set up. Click ‘Done’ and you will be taken to the application initially selected. Congratulations, you have successfully set up MFA!

1.2.1 NHSmail number matching for users of the Microsoft Authenticator app

NHSmail is enabling number matching for all users of the Microsoft Authenticator app on the evening of 25 January 2023.

Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator.

Follow the steps below to enrol in MFA:

  • Step 1: When logging in to portal.nhs.net, you will be presented with a two-digit number
  • Step 2: The Microsoft Authenticator app on your mobile device will prompt you to authenticate the log in
  • Step 3: Type the two-digit number into the app to complete the approval
  • Step 4: The NHSmail portal will then open

Please note: You won’t be able to install or use Microsoft Authenticator on Apple Watch. Microsoft recommend that you delete Microsoft Authenticator from your Apple Watch, and sign in with Microsoft Authenticator on another device.

1.3 Text Message

To register for MFA with text message, watch the video above or follow the steps below

Download the full Step by Step Guidance for text message

Follow the steps below to enrol in MFA:

  • Step 1: Once Multi-Factor Authentication (MFA) is enabled on your account, sign in with your NHSmail account to begin the set up process at https://portal.nhs.net/

Select at the bottom of the box ‘I want to set up a different method’ to add another option to authenticate your account

  • Step 2: A box with a drop list with the different options to register for MFA will appear on the screen
  • Step 3: This page allows you to choose an alternative option to authenticate your NHSmail account. Select ‘Phone’ Option. Note: The use of the office phone option is not supported by NHSmail. This option is available to users as Multi-factor Authentication is an off-the-shelf feature that cannot be customised.
  • Step 4: Click ‘Confirm’ to continue the register process. Note: This phone number is your preferred contact method, and is not linked to the number listed in your NHSmail Portal profile
  • Step 5: Select your country code from the country options and enter the mobile phone number you would like to use, select ‘Text me a code’ as your authentication method and click ‘Next’. Note: Mobile numbers used to register for an NHSmail account must be UK based.
  • Step 6: Microsoft will send an authentication text code, please check your mobile phone for the six digit number text code (SMS). Note: It is not expected that you will be charged to use this service as no messages will be sent during 2-step verification. However, SMS charges may apply if you try to access your account from outside the UK (incurring roaming charges).
  • Step 7: Enter the six-digit text code received by mobile phone into the text box provided and click ‘Next’ to proceed
  • Step 8: When the code is validated this message will appear on the screen. Click ‘Next’ to be taken to the next page.
  • Step 9: Insert a password name of at least 8 characters and then click ‘Next’. Note: The App password is required for legacy applications that MFA does not support.
  • Step 10: After creating a password name you will be provided with a key password – store this password in a safe place and click ‘Done’
  • Step 11: A message will confirm that you have finished your Microsoft Authenticator App set up. Click ‘Done’ and you will be taken to the application initially selected. Congratulations, you have successfully set up MFA!

1.4 Call

To register for MFA with calls, watch the video above or follow the steps below

Download the full Step by Step Guidance for phone call

Follow the steps below to enrol in MFA:

  • Step 1: Once Multi-Factor Authentication (MFA) is enabled on your account, sign in with your NHSmail account to begin the set up process at https://portal.nhs.net/

Select at the bottom of the box ‘I want to set up a different method’ to add another option to authenticate your account.

  • Step 2: A box with a drop list with the different options to register for MFA will appear on the screen.
  • Step 3: This page allows you to choose an alternative option to authenticate your NHSmail account. Select ‘Phone’ Option. Note: The use of the office phone option is not supported by NHSmail. This option is available to users as Multi-factor Authentication is an off-the-shelf feature that cannot be customised.
  • Step 4: Click ‘Confirm’ to continue the register process. Note: This phone number is your preferred contact method, and is not linked to the number listed in your NHSmail Portal profile.
  • Step 5: Select your country code from the country options and enter the mobile phone number you would like to use, select ‘Call me’ option and click ‘Next’. Note: Mobile numbers used to register for an NHSmail account must be UK based.
  • Step 6: You will get a call to the registered mobile number. Note: It is not expected that you will be charged to use this service as no outgoing calls during 2-step verification. However, standard call charges may apply if you try to access your account from outside the UK (incurring roaming charges).
  • Step 7: Answer the call and press the # key on the device to verify your identity. Note: the automated message may ask you to press the “pound” key or the “hash” key, but you should always press the # symbol on your telephone keypad.
  • Step 8: Click ‘Next’ to continue the registration process.
  • Step 9: Insert a password name of at least 8 characters and then click ‘Next’. Note: The App password is required for legacy applications that MFA does not support.
  • Step 10: After creating a password name you will be provided with a key password – store this password in a safe place and click ‘Done’.
  • Step 11: A message will confirm that you have finished your Microsoft Authenticator App set up. Click ‘Done’ and you will be taken to the application initially selected. Congratulations, you have successfully set up MFA!

1.5 Alternative Phone

Download the full Step by Step Guidance for Alternative Phone

Follow the steps below to enrol in MFA:

  • Step 1: Open a window browser and type the link https://aka.ms/mysecurityinfo and enter you NHSmail email address and password
  • Step 2: Authenticate your account using the selected method
  • Step 3: Select ‘+Add a sign-in method’ to include other alternatives options to authenticate your NHSmail account
  • Step 4: Select an ‘Alternative phone’ to include a secondary mobile phone number to authenticate MFA. Note: The use of the office phone option is not supported by NHSmail and should not be selected. This shows as an available option to users as it is an off-the-shelf feature that cannot be customised.
  • Step 5: Enter your secondary mobile phone number as an alternative option to authenticate your NHSmail account. Note: Mobile numbers used to register for an NHSmail account must be UK based.
  • Step 6: A call will be made to the registered mobile phone number
  • Step 7: Answer the call and press the # key on the device to verify your identity. Note: the automated message may ask you to press the “pound” key or the “hash” key, but you should always press the # symbol on your telephone keypad
  • Step 8: Click ‘Done’ to finalize the process to register an alternative method for MFA.
  • Step 9: You will be direct to this page where you can check the MFA methods you have registered.

1.6 Change your preferred method of authentication for MFA

Download the full Step by Step Guidance for Changing your preferred method of authentication

Follow the steps below to enrol in MFA:

  • Step 1: Open a window browser and type the link https://aka.ms/mysecurityinfo and enter you NHSmail email address and password
  • Step 2: Select ‘Change’ where you have the default sign-in method.
  • Step 3: Select the new preferred method to authenticate MFA.
  • Step 4: After selecting the new preferred method for MFA, click ‘Confirm’.

Congratulations, you have changed your preferred method for MFA successfully!

Last Reviewed Date 17/03/2023
Updated on 19/03/2023

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top