MFA Frequently Asked Questions (FAQs)

Normally you use your username and password to log into your NHSmail account. Multi-factor authentication (MFA) is an additional way of checking that it is really you when you log in into your account. In addition to your username and password, you will need to set up a second form of authentication, such as an authentication app on your smartphone or tablet. This second layer of security is designed to prevent anyone but you from accessing your account even if they know your password.

Consider the information that you send and receive via email everyday – what would happen if this was accessed? Cyberattacks pose a risk to patient privacy because hackers access sensitive information potentially causing harm to patient safety and care delivery. Hackers can use ransomware viruses to hold medical records or devices hostage, risking your access to vital tools and information.

• 80% of data breaches can be prevented by simple actions like enabling multi-factor authentication (MFA) – Source: DBIR, 2020
• 90% of healthcare organizations experienced a data breach from 2017 to 2020 – Source: Hervajec Group, 2020
• 99% of accounts compromised by cyber-attacks can be blocked by using MFA – Source: Microsoft, 2022

• Keeps any patient data in a more protected environment
• Helps you gain access to your account should you forget your password
• Helps protect NHS reputation
• Provides increased protection against cyber attacks
• Checks if an attempt is made to access your account from an unusual location or device

With the recent increase in security breaches and attacks on accounts, it is important to step up security to protect the NHS and our patients from cyber attacks. According to the 2022 World Economic Forum Report, “cyber security failure” ranked among the top-10 risks that have worsened since the start of the COVID-19 crisis – in 2020, ransomware attacks increased by 435%.

Implementing multi-factor authentication (MFA) is one of the easiest, most effective actions you can take to improve the security of your data. It’s no longer a ‘nice to have’ but a necessity. 

Registering with more than one authentication method (e.g. both Microsoft Authenticator app and text message) ensures you have a back-up option in case of emergencies which means you’ll never lose access to your account if something happens to your device.

• Authentication App: Download the Microsoft Authenticator app to your smartphone to verify your sign in or to get a verification code.
• Text message: A text message (SMS) is sent to the mobile phone number registered containing a verification code.
• Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad.
• FIDO2: Use FIDO2 for MFA to sign in with a choice of security keys available and supported.

You should enable MFA using mobile app, text message, phone call or FIDO2 token in addition to using an NHS smartcard for security purposes. If using an NHS Smartcard in addition to another MFA option, you won’t be challenged for MFA.

Multi-factor authentication (MFA) is currently being used to protect the NHSmail Portal and all Microsoft Office 365 (O365) applications including Outlook, Teams, OneNote, OneDrive and SharePoint.

If you aren’t trying to sign in but are requests to approve a sign in or provide an authentication code, this is a sign that a malicious actor is trying to access and compromise your account.

Only approve authentication requests when you know it’s you. If you receive authentication requests that you have not instigated, do not click approve. Alert your local admin / CSOC or call the Help Desk (0333 200 1133) to let them know that your account may be being attack. Please then reset or change your password.

As part of the ongoing efforts to protect the NHSmail platform, multi-factor authentication (MFA) is enforced on all NHSmail accounts that are identified as compromised. Once your account has been compromised, you will not be able to disable MFA on your account. If you’re having issues accessing your account, you can contact your local admin or call the Help Desk (0333 200 1133).

If you get a new mobile phone number, then you will need to update your MFA details here. On the ‘Security info’ page, click on change and edit it with your new phone number. This number is independent of the mobile number listed in your NHSmail Portal profile. Please note the number you enter must be a UK-based phone number.

No, you can only use a UK-based phone number for MFA on your NHSmail account. The use of mobile phone numbers registered outside of the UK is not permissible. Please check the number associated with your MFA details here. If this number is a non-UK based phone number, please delete it and update the field with a UK-based phone number.

 If you have kept the same mobile number and have selected call or text message as method of authentication you do not have to do anything. If you have selected Authenticator app as your preferred authentication option, you just need to download the app on your new mobile device and backup the details from your old mobile device to your new one. To set up Microsoft Authenticator on a new phone, follow these steps:

• Step 1: Open the Microsoft Authenticator app on old mobile
• Step 2: Tap on the three-dotted icon and go to Settings
• Step 3: Toggle Cloud backup or iCloud backup option
• Step 4: Add a recovery account
• Step 5: Open the Microsoft Authenticator app on the new mobile
• Step 6: Tap on the begin recovery button
• Step 7: Enter the credentials of the recovery account
• Step 8: Reverify accounts to start using them.

Find out more about setting up the Microsoft Authenticator app here.

Always inform your local admin when you have misplaced your mobile and remember to always register an alternative method of multi-factor authentication (MFA) for emergencies, such as an alternative mobile phone number or set up the Microsoft Authenticator app on another mobile device. Find out more about setting up alternative authentication options here.

If you have alternate authentication methods configured in your Additional Security Verification page, then please select “Sign in another way” at the MFA prompt screen. For further information, click here.

If you did not register an alternative method of authentication, please contact your local admin or call the Help Desk (0333 200 1133).

If you don’t have a corporate device, we recommend that you use your personal device as your device is unique to you. This helps ensure your account can only be accessed by the person in possession of your phone. Even if someone has your log in details and password, they won’t be able to log into the NHSmail Portal or access your Microsoft Office 365 account without your personal device. If mobile devices are not allowed in the workplace, please contact your local admin to discuss alternatives, such as FIDO2 security tokens. Using multi-factor authentication (MFA) on your personal device will ensure your account remains protected and will not result in the collection, storage or tracking of any personally identifiable data.

The Microsoft Authenticator app does not collect or store any personally identifiable data. Keeping your NHSmail account secure will protect the organisation, your own personal data and patient data. Your personal mobile phone details are not used for any other purpose than protecting your account. By adding the Microsoft Authenticator app to your personal mobile phone this is just providing a method to confirm who you are. Further information can be found here.

Whether your mobile device needs to be connected to the internet for MFA depends on the type of authentication method you’re using.

• Microsoft Authenticator app: If you’re using the Microsoft Authenticator app as your authentication option, the push notification you receive on your phone to approve a sign in requires an internet connection. However, if you are using the app to access a one-time password code, an internet connection is not required.
• Text message: If you’re using text messages as your authentication option, an internet connection is not required.
• Call: If you’re using calls as your authentication option, an internet connection is not required.

Please note that if you’re not using your mobile device and you are using a FIDO2 token as your authentication option instead, an internet connection is required.

The Microsoft Authenticator app is the preferred method and will give you the best experience. The app is available for Android and iOS. If your phone is unable to run the app, you can select an alternative authentication method such as the ‘Call me’ or text message option. Alternatively, or please contact your local admin to discuss alternatives, such as FIDO2 security tokens.

Make sure you have an alternative method to authenticate before doing so, such as the call or text message option. You will need this to log in to NHSmail services. Find out more about setting up alternative authentication options here.

Find out more about how easy it is to get started with MFA by clicking here.

You will need to re-authenticate on each device and each browser you log into. For desktop and mobile apps, you will be prompted to authenticate once, and then you will only be prompted again once a key account detail has changed, e.g. you have reset your password.

The above pattern will only change in certain cases where a specific MFA licence has been assigned to you by your organisation.

Yes, as a guest user you can still register for MFA. This helps keeps NHSmail services and data secure and protected. For more information on how to register click here.

For more information about FIDO2, please visit this page. You can also contact your local admin or call the Help Desk (0333 200 1133).

Please visit the NHS Care Identity Sign in Support site for more information or contact your local admin.

Call us on 0333 200 1133 Or open a ticket helpdesk@nhs.net

For feedback, please contact us via Your Voice or feedback@nhs.net