1. Home
  2. Multi-Factor Authentication (MFA)
  3. User Guides
  4. MFA Frequently Asked Questions (FAQs)

MFA Frequently Asked Questions (FAQs)

Here are some answers to questions you may have about Multi-Factor Authentication (MFA).

Overview

What is Multi-factor Authentication (MFA)?

Normally you use your username and password to log into your NHSmail account. Multi-factor authentication (MFA) is an additional way of checking that it is really you when you log in into your account. In addition to your username and password, you will need to set up a second form of authentication, such as an authentication app on your smartphone or tablet. This second layer of security is designed to prevent anyone but you from accessing your account even if they know your password.

Why is MFA important to the NHS?

Consider the information that you send and receive via email everyday – what would happen if this was accessed? Cyberattacks pose a risk to patient privacy because hackers access sensitive information potentially causing harm to patient safety and care delivery. Hackers can use ransomware viruses to hold medical records or devices hostage, risking your access to vital tools and information.

  • 80% of data breaches can be prevented by simple actions like enabling multi-factor authentication (MFA) – Source: DBIR, 2020
  • 90% of healthcare organizations experienced a data breach from 2017 to 2020 – Source: Hervajec Group, 2020
  • 99% of accounts compromised by cyber-attacks can be blocked by using MFA – Source: Microsoft, 2022

What are the benefits of MFA?

  • Keeps any patient data in a more protected environment
  • Helps you gain access to your account should you forget your password
  • Helps protect NHS reputation
  • Provides increased protection against cyber attacks
  • Checks if an attempt is made to access your account from an unusual location or device

Why is MFA being enforced?

With the recent increase in security breaches and attacks on accounts, it is important to step up security to protect the NHS and our patients from cyber attacks. According to the 2022 World Economic Forum Report, “cyber security failure” ranked among the top-10 risks that have worsened since the start of the COVID-19 crisis – in 2020, ransomware attacks increased by 435%.

Implementing multi-factor authentication (MFA) is one of the easiest, most effective actions you can take to improve the security of your data. It’s no longer a ‘nice to have’ but a necessity. 

What are my options for MFA?

Registering with more than one authentication method (e.g. both Microsoft Authenticator app and text message) ensures you have a back-up option in case of emergencies which means you’ll never lose access to your account if something happens to your device.

 

  • Authentication App: Download the Microsoft Authenticator app to your smartphone to verify your sign in or to get a verification code.
  • Text message: A text message (SMS) is sent to the mobile phone number registered containing a verification code.
  • Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad.
  • FIDO2: Use FIDO2 for MFA to sign in with a choice of security keys available and supported.
  • NHS smartcard: If you have an NHS Care Identity Smartcard, register it with NHSmail and use it as an alternative to sign into NHSmail Portal and Office 365 web-based applications.

You should enable MFA using mobile app, text message, phone call or FIDO2 token in addition to using an NHS smartcard for security purposes. If using an NHS Smartcard in addition to another MFA option, you won’t be challenged for MFA.

What applications / systems does MFA protect?

Multi-factor authentication (MFA) is currently being used to protect the NHSmail Portal and all Microsoft Office 365 (O365) applications including Outlook, Teams, OneNote, OneDrive and SharePoint.

I am getting authentication requests, but I am not trying to sign in. What should I do?

If you aren’t trying to sign in but are requests to approve a sign in or provide an authentication code, this is a sign that a malicious actor is trying to access and compromise your account.

Only approve authentication requests when you know it’s you. If you receive authentication requests that you have not instigated, do not click approve. Alert your local admin / CSOC or call the Help Desk (0333 200 1133) to let them know that your account may be being attack. Please then reset or change your password.

What happens if my account has been compromised?

As part of the ongoing efforts to protect the NHSmail platform, multi-factor authentication (MFA) is enforced on all NHSmail accounts that are identified as compromised. Once your account has been compromised, you will not be able to disable MFA on your account. If you’re having issues accessing your account, you can contact your local admin or call the Help Desk (0333 200 1133).

Mobile Phone Numbers and Devices

I changed my mobile phone number, what should I do?

If you get a new mobile phone number, then you will need to update your MFA details here. On the ‘Security info’ page, click on change and edit it with your new phone number. This number is independent of the mobile number listed in your NHSmail Portal profile. Please note the number you enter must be a UK-based phone number.

Can I use a non-UK phone number as an authentication option?

No, you can only use a UK-based phone number for MFA on your NHSmail account. The use of mobile phone numbers registered outside of the UK is not permissible. Please check the number associated with your MFA details here. If this number is a non-UK based phone number, please delete it and update the field with a UK-based phone number.

I have a new mobile phone, but kept the same number, do I need to do anything?

 If you have kept the same mobile number and have selected call or text message as method of authentication you do not have to do anything. If you have selected Authenticator app as your preferred authentication option, you just need to download the app on your new mobile device and backup the details from your old mobile device to your new one. To set up Microsoft Authenticator on a new phone, follow these steps:

  • Step 1: Open the Microsoft Authenticator app on old mobile
  • Step 2: Tap on the three-dotted icon and go to Settings
  • Step 3: Toggle Cloud backup or iCloud backup option
  • Step 4: Add a recovery account
  • Step 5: Open the Microsoft Authenticator app on the new mobile
  • Step 6: Tap on the begin recovery button
  • Step 7: Enter the credentials of the recovery account
  • Step 8: Reverify accounts to start using them.

Find out more about setting up the Microsoft Authenticator app here.

What should I do if my phone is lost or stolen, and I need to log into my account?

Always inform your local admin when you have misplaced your mobile and remember to always register an alternative method of multi-factor authentication (MFA) for emergencies, such as an alternative mobile phone number or set up the Microsoft Authenticator app on another mobile device. Find out more about setting up alternative authentication options here.

If you have alternate authentication methods configured in your Additional Security Verification page, then please select “Sign in another way” at the MFA prompt screen. For further information, click here.

If you did not register an alternative method of authentication, please contact your local admin or call the Help Desk (0333 200 1133).

What if I don't want to use my personal mobile phone for MFA?

If you don’t have a corporate device, we recommend that you use your personal device as your device is unique to you. This helps ensure your account can only be accessed by the person in possession of your phone. Even if someone has your log in details and password, they won’t be able to log into the NHSmail Portal or access your Microsoft Office 365 account without your personal device. If mobile devices are not allowed in the workplace, please contact your local admin to discuss alternatives, such as FIDO2 security tokens. Using multi-factor authentication (MFA) on your personal device will ensure your account remains protected and will not result in the collection, storage or tracking of any personally identifiable data.

Can MFA allow data access to my personal phone?

The Microsoft Authenticator app does not collect or store any personally identifiable data. Keeping your NHSmail account secure will protect the organisation, your own personal data and patient data. Your personal mobile phone details are not used for any other purpose than protecting your account. By adding the Microsoft Authenticator app to your personal mobile phone this is just providing a method to confirm who you are. Further information can be found here.

Does my mobile device need to be connected to the internet for MFA?

Whether your mobile device needs to be connected to the internet for MFA depends on the type of authentication method you’re using.

  • Microsoft Authenticator app: If you’re using the Microsoft Authenticator app as your authentication option, the push notification you receive on your phone to approve a sign in requires an internet connection. However, if you are using the app to access a one-time password code, an internet connection is not required.
  • Text message: If you’re using text messages as your authentication option, an internet connection is not required.
  • Call: If you’re using calls as your authentication option, an internet connection is not required.

Please note that if you’re not using your mobile device and you are using a FIDO2 token or NHS Smartcard as your authentication option instead, an internet connection is required.

If I don't have a smartphone or enough space to download the Microsoft Authenticator app, can I still register for MFA?

The Microsoft Authenticator app is the preferred method and will give you the best experience. The app is available for Android and iOS. If your phone is unable to run the app, you can select an alternative authentication method such as the ‘Call me’ or text message option. Alternatively, or please contact your local admin to discuss alternatives, such as FIDO2 security tokens or NHS Smartcards.

Can I delete the Microsoft Authenticator app from my mobile device?

Make sure you have an alternative method to authenticate before doing so, such as the call or text message option. You will need this to log in to NHSmail services. Find out more about setting up alternative authentication options here.

Set Up & Use

What are the steps to set up MFA?

Find out more about how easy it is to get started with MFA by clicking here.

Do I have to authenticate each time I log in to NHSmail?

You will need to re-authenticate on each device and each browser you log into. For desktop and mobile apps, you will be prompted to authenticate once, and then you will only be prompted again once a key account detail has changed, e.g. you have reset your password.

The above pattern will only change in certain cases where a specific MFA licence has been assigned to you by your organisation.

I am a guest user, does MFA still apply to me?

Yes, as a guest user you can still register for MFA. This helps keeps NHSmail services and data secure and protected. For more information on how to register click here.

What if I have problems with my FIDO2 token?

For more information about FIDO2, please visit this page. You can also contact your local admin or call the Help Desk (0333 200 1133).

What if I have problems with my NHS Smartcard?

Please visit the NHS Care Identity Sign in Support site for more information or contact your local admin.

Additional Information

How can I contact the Help Desk for support?

Call us on 0333 200 1133 Or open a ticket helpdesk@nhs.net

For feedback, please contact us via Your Voice or feedback@nhs.net 

Last Reviewed Date 28/11/2022
Updated on 28/11/2022

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top