MFA User Frequently Asked Questions (FAQs)

Normally you use your username and password to log into your NHSmail account. Multi-factor authentication (MFA) is an additional way of checking that it is really you when you log in into your account. In addition to your username and password, you will need to set up a second form of authentication, such as an authentication app on your smartphone or tablet. This second layer of security is designed to prevent anyone but you from accessing your account even if they know your password.

Consider the information that you send and receive via email everyday – what would happen if this was accessed? Cyberattacks pose a risk to patient privacy because hackers access sensitive information potentially causing harm to patient safety and care delivery. Hackers can use ransomware viruses to hold medical records or devices hostage, risking your access to vital tools and information.

• 80% of data breaches can be prevented by simple actions like enabling multi-factor authentication (MFA) – Source: DBIR, 2020
• 90% of healthcare organizations experienced a data breach from 2017 to 2020 – Source: Hervajec Group, 2020
• 99% of accounts compromised by cyber-attacks can be blocked by using MFA – Source: Microsoft, 2022

• Keeps any patient data in a more protected environment
• Helps you gain access to your account should you forget your password
• Helps protect NHS reputation
• Provides increased protection against cyber attacks
• Checks if an attempt is made to access your account from an unusual location or device

With the recent increase in security breaches and attacks on accounts, it is important to step up security to protect the NHS and our patients from cyber attacks. According to the 2022 World Economic Forum Report, “cyber security failure” ranked among the top-10 risks that have worsened since the start of the COVID-19 crisis – in 2020, ransomware attacks increased by 435%.

Implementing multi-factor authentication (MFA) is one of the easiest, most effective actions you can take to improve the security of your data. It’s no longer a ‘nice to have’ but a necessity. 

There are three core methods for MFA currently available:

• • • • • • • Authentication App (recommended option): Download the Microsoft Authenticator app to your smartphone to verify your sign in or to get a verification code.
            • Text message: A text message (SMS) is sent to the mobile phone number registered containing a verification code.
            • Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad.

Registering with more than one authentication method (e.g. both Microsoft Authenticator app and text message) ensures you have a back-up option in case of emergencies which means you will never lose access to your account if something happens to your device.

You should enable MFA using mobile app, text message or phone call in addition to using a FIDO2 token or NHS smartcard for security purposes. If using a FIDO2 token or NHS Smartcard in addition to another MFA option, you won’t be challenged for MFA.

Multi-factor authentication (MFA) is currently being used to protect the NHSmail Portal and all Microsoft Office 365 (O365) applications including Outlook, Teams, OneNote, OneDrive and SharePoint.

If you aren’t trying to sign in but are requests to approve a sign in or provide an authentication code, this is a sign that a malicious actor is trying to access and compromise your account.

Only approve authentication requests when you know it’s you. If you receive authentication requests that you have not instigated, do not click approve. Alert your local admin / CSOC or call the Help Desk (0333 200 1133) to let them know that your account may be being attack. Please then reset or change your password.

As part of the ongoing efforts to protect the NHSmail platform, multi-factor authentication (MFA) is enforced on all NHSmail accounts that are identified as compromised. Once your account has been compromised, you will not be able to disable MFA on your account. If you’re having issues accessing your account, you can contact your local admin or call the Help Desk (0333 200 1133).

FIDO2 tokens are currently not considered to be “core” MFA options. They can be used as a workaround to by-pass MFA prompts once a core MFA method has been set up on their account.

It is on our future roadmap that FIDO2 tokens will become a core option, but there are currently no dates around this.

NHS smartcards are not considered to be a core MFA option as they can only be used for web access and not with desktop applications. This means that in addition to using an NHS Smartcard, MFA should also be enabled using mobile app, text or phone call.

This is dependent on how MFA is applied, there is currently no grace period for Standard CA MFA. Named Location CA has a grace period of 14 days, during which you can skip the registration process. After the 14-day grace period has passed, you will not be able to login to your account until you have completed the registration.

If you get a new mobile phone number, then you will need to update your MFA details here. On the ‘Security info’ page, click on change and edit it with your new phone number. This number is independent of the mobile number listed in your NHSmail Portal profile. Please note the number you enter must be a UK-based phone number.

For more information, please visit MFA Re-Enrolment.

For more queries please visit Mobile phone numbers and devices.

No, you can only use a UK-based phone number for MFA on your NHSmail account. The use of mobile phone numbers registered outside of the UK is not permissible. Please check the number associated with your MFA details here. If this number is a non-UK based phone number, please delete it and update the field with a UK-based phone number.

For more queries please visit Mobile phone numbers and devices.

If you have kept the same mobile number and have selected call or text message as method of authentication you do not have to do anything. If you have selected Authenticator app as your preferred authentication option, you just need to download the app on your new mobile device and backup the details from your old mobile device to your new one. To set up Microsoft Authenticator on a new phone, follow these steps:

• Step 1: Open the Microsoft Authenticator app on old mobile
• Step 2: Tap on the three-dotted icon and go to Settings
• Step 3: Toggle Cloud backup or iCloud backup option
• Step 4: Add a recovery account
• Step 5: Open the Microsoft Authenticator app on the new mobile
• Step 6: Tap on the begin recovery button
• Step 7: Enter the credentials of the recovery account
• Step 8: Reverify accounts to start using them.

Find out more about setting up the Microsoft Authenticator app here.

Always inform your local admin when you have misplaced your mobile and remember to always register an alternative method of multi-factor authentication (MFA) for emergencies, such as an alternative mobile phone number or set up the Microsoft Authenticator app on another mobile device. Find out more about setting up alternative authentication options here.

If you have alternate authentication methods configured in your Additional Security Verification page, then please select “Sign in another way” at the MFA prompt screen. For further information, click here.

If you did not register an alternative method of authentication, please contact your local admin or call the Help Desk (0333 200 1133).

If you don’t have a corporate device, we recommend that you use your personal device as your device is unique to you. This helps ensure your account can only be accessed by the person in possession of your phone. Even if someone has your log in details and password, they won’t be able to log into the NHSmail Portal or access your Microsoft Office 365 account without your personal device. If mobile devices are not allowed in the workplace, please contact your local admin to discuss alternatives, such as FIDO2 security tokens. Using multi-factor authentication (MFA) on your personal device will ensure your account remains protected and will not result in the collection, storage or tracking of any personally identifiable data.

The Microsoft Authenticator app does not collect or store any personally identifiable data. Keeping your NHSmail account secure will protect the organisation, your own personal data and patient data. Your personal mobile phone details are not used for any other purpose than protecting your account. By adding the Microsoft Authenticator app to your personal mobile phone this is just providing a method to confirm who you are.

Whether your mobile device needs to be connected to the internet for MFA depends on the type of authentication method you’re using.

• Microsoft Authenticator app: If you’re using the Microsoft Authenticator app as your authentication option, the push notification you receive on your phone to approve a sign in requires an internet connection. However, if you are using the app to access a one-time password code, an internet connection is not required.
• Text message: If you’re using text messages as your authentication option, an internet connection is not required.
• Call: If you’re using calls as your authentication option, an internet connection is not required.

Please note that if you’re not using your mobile device and are using a FIDO2 token as your authentication option instead after having enabled one of the core options above, an internet connection is required.

The Microsoft Authenticator app is the preferred method and will give you the best experience. The app is available for Android and iOS. If your phone is unable to run the app or you do not have a smartphone, you can select an alternative authentication method such as the ‘Call me’ or text message option. Alternatively, please contact your Local Administrator to discuss alternatives, such as FIDO2 security tokens which can be used as a workaround to bypass MFA once a core option has been enabled on your account.

Make sure you have an alternative method to authenticate before doing so, such as the call or text message option. You will need this to log in to NHSmail services. Find out more about setting up alternative authentication options here.

Please refer to guidance here on the steps for all authentication methods to enable MFA for yourself. If you need additional guidance, please contact your Local Administrator.

Please follow the guidance on How to Install Authenticator app and further guidance on steps for How to set up MFA on the Authenticator app.

If your Microsoft Authenticator app is not responding or you are not receiving a code, please ensure that your app is up to date and your device is connected to the internet and has a stable network connection. Your device would further need the permissions to send notifications to be turned on in your device settings.

If the issue persists, please try an alternative verification method such as a text message or phone call.

Find out more about how easy it is to get started with MFA by clicking here.

Important Note: From 5 October 2023 newly created user accounts will have MFA enabled by default. Therefore, the Self-Enrol Steps only apply to accounts created prior to this date.

You will need to re-authenticate on each device and each browser you log into. For desktop and mobile apps, you will be prompted to authenticate once, and then you will only be prompted again once a key account detail has changed, e.g. you have reset your password.

The above pattern will only change in certain cases where a specific MFA licence has been assigned to you by your organisation.

Yes, as a guest user you can still register for MFA. This helps keeps NHSmail services and data secure and protected. For more information on how to register click here.

For more information about FIDO2, please visit this page. You can also contact your local admin or call the Help Desk (0333 200 1133).

Please visit the NHS Care Identity Sign in Support site for more information or contact your local admin.

Users will not be able to self-disable MFA, please contact your Local Administrator for any assistance with MFA.

You can change the authentication method following the steps below

Step 1: Open a window browser and type the link https://aka.ms/mysecurityinfo and enter your NHSmail email address and password

Step 2: Select ‘Change’ where you have the default sign-in method.

Step 3: Select the new preferred method to authenticate MFA.

Step 4: After selecting the new preferred method for MFA, click ‘Confirm’

For more details please visit Change your preferred method of authentication for MFA.

Call us on 0333 200 1133 Or open a ticket helpdesk@nhs.net

For feedback, please contact us via Your Voice or feedback@nhs.net 

Shared mailboxes, (i.e., when users access the shared mailbox from within their own mailbox without the need to enter a separate password) do not need MFA as they do not have passwords. Please see further guidance on shared mailboxes here.

If you require an exception for MFA, please speak to your Local Administrator for guidance.