MFA User Frequently Asked Questions (FAQs)

Here are some answers to questions you may have about Multi-Factor Authentication (MFA).


What is Multi-factor Authentication (MFA)?

Normally you use your username and password to log into your NHSmail account. Multi-factor authentication (MFA) is an additional way of checking that it is really you when you log in into your account. In addition to your username and password, you will need to set up a second form of authentication, such as an authentication app on your smartphone or tablet. This second layer of security is designed to prevent anyone but you from accessing your account even if they know your password.

Why is MFA important to the NHS?

Consider the information that you send and receive via email everyday – what would happen if this was accessed? Cyberattacks pose a risk to patient privacy because hackers access sensitive information potentially causing harm to patient safety and care delivery. Hackers can use ransomware viruses to hold medical records or devices hostage, risking your access to vital tools and information.

  • 80% of data breaches can be prevented by simple actions like enabling multi-factor authentication (MFA) – Source: DBIR, 2020
  • 90% of healthcare organizations experienced a data breach from 2017 to 2020 – Source: Hervajec Group, 2020
  • 99% of accounts compromised by cyber-attacks can be blocked by using MFA – Source: Microsoft, 2022

What are the benefits of MFA?

  • Keeps any patient data in a more protected environment
  • Helps you gain access to your account should you forget your password
  • Helps protect NHS reputation
  • Provides increased protection against cyber attacks
  • Checks if an attempt is made to access your account from an unusual location or device

Why is MFA being enforced?

With the recent increase in security breaches and attacks on accounts, it is important to step up security to protect the NHS and our patients from cyber attacks. According to the 2022 World Economic Forum Report, “cyber security failure” ranked among the top-10 risks that have worsened since the start of the COVID-19 crisis – in 2020, ransomware attacks increased by 435%.

Implementing multi-factor authentication (MFA) is one of the easiest, most effective actions you can take to improve the security of your data. It’s no longer a ‘nice to have’ but a necessity. 

What are my options for MFA?

There are three core methods for MFA currently available:

              • Authentication App (recommended option): Download the Microsoft Authenticator app to your smartphone to verify your sign in or to get a verification code.
              • Text message: A text message (SMS) is sent to the mobile phone number registered containing a verification code.
              • Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad.

Registering with more than one authentication method (e.g. both Microsoft Authenticator app and text message) ensures you have a back-up option in case of emergencies which means you will never lose access to your account if something happens to your device.

You should enable MFA using mobile app, text message or phone call in addition to using a FIDO2 token or NHS smartcard for security purposes. If using a FIDO2 token or NHS Smartcard in addition to another MFA option, you won’t be challenged for MFA.

What applications / systems does MFA protect?

Multi-factor authentication (MFA) is currently being used to protect the NHSmail Portal and all Microsoft Office 365 (O365) applications including Outlook, Teams, OneNote, OneDrive and SharePoint.

I am getting authentication requests, but I am not trying to sign in. What should I do?

If you aren’t trying to sign in but are requests to approve a sign in or provide an authentication code, this is a sign that a malicious actor is trying to access and compromise your account.

Only approve authentication requests when you know it’s you. If you receive authentication requests that you have not instigated, do not click approve. Alert your local admin / CSOC or call the Help Desk (0333 200 1133) to let them know that your account may be being attack. Please then reset or change your password.

What happens if my account has been compromised?

As part of the ongoing efforts to protect the NHSmail platform, multi-factor authentication (MFA) is enforced on all NHSmail accounts that are identified as compromised. Once your account has been compromised, you will not be able to disable MFA on your account. If you’re having issues accessing your account, you can contact your local admin or call the Help Desk (0333 200 1133).

Can NHS smartcards be used as a core MFA method?

NHS smartcards are not considered to be a core MFA option as they can only be used for web access and not with desktop applications. This means that in addition to using an NHS Smartcard, MFA should also be enabled using mobile app, text or phone call.

Is there a grace period when MFA is applied before it is enforced?

This is dependent on how MFA is applied, there is currently no grace period for Standard CA MFA. Named Location CA has a grace period of 14 days, during which you can skip the registration process. After the 14-day grace period has passed, you will not be able to login to your account until you have completed the registration.

Mobile Phone Numbers and Devices

I changed my mobile phone number, what should I do?

If you get a new mobile phone number, then you will need to update your MFA details here. On the ‘Security info’ page, click on change and edit it with your new phone number. This number is independent of the mobile number listed in your NHSmail Portal profile. Please note the number you enter must be a UK-based phone number.

For more information, please visit MFA Re-Enrolment.

For more queries please visit Mobile phone numbers and devices.

Can I use a non-UK phone number as an authentication option?

No, you can only use a UK-based phone number for MFA on your NHSmail account. The use of mobile phone numbers registered outside of the UK is not permissible. Please check the number associated with your MFA details here. If this number is a non-UK based phone number, please delete it and update the field with a UK-based phone number.

For more queries please visit Mobile phone numbers and devices.

I have a new mobile phone, but kept the same number, do I need to do anything?

If you have kept the same mobile number and have selected call or text message as method of authentication you do not have to do anything. If you have selected Authenticator app as your preferred authentication option, you just need to download the app on your new mobile device and backup the details from your old mobile device to your new one. To set up Microsoft Authenticator on a new phone, follow these steps:

  • Step 1: Open the Microsoft Authenticator app on old mobile
  • Step 2: Tap on the three-dotted icon and go to Settings
  • Step 3: Toggle Cloud backup or iCloud backup option
  • Step 4: Add a recovery account
  • Step 5: Open the Microsoft Authenticator app on the new mobile
  • Step 6: Tap on the begin recovery button
  • Step 7: Enter the credentials of the recovery account
  • Step 8: Reverify accounts to start using them.

Find out more about setting up the Microsoft Authenticator app here.

What should I do if my phone is lost or stolen, and I need to log into my account?

Always inform your local admin when you have misplaced your mobile and remember to always register an alternative method of multi-factor authentication (MFA) for emergencies, such as an alternative mobile phone number or set up the Microsoft Authenticator app on another mobile device. Find out more about setting up alternative authentication options here.

If you have alternate authentication methods configured in your Additional Security Verification page, then please select “Sign in another way” at the MFA prompt screen. For further information, click here.

If you did not register an alternative method of authentication, please contact your local admin or call the Help Desk (0333 200 1133).

What if I don't want to use my personal mobile phone for MFA?

If you don’t have a corporate device, we recommend that you use your personal device as your device is unique to you. This helps ensure your account can only be accessed by the person in possession of your phone. Even if someone has your log in details and password, they won’t be able to log into the NHSmail Portal or access your Microsoft Office 365 account without your personal device. If mobile devices are not allowed in the workplace, please contact your local admin to discuss alternatives, such as FIDO2 security tokens. Using multi-factor authentication (MFA) on your personal device will ensure your account remains protected and will not result in the collection, storage or tracking of any personally identifiable data.

Can MFA allow data access to my personal phone?

The Microsoft Authenticator app does not collect or store any personally identifiable data. Keeping your NHSmail account secure will protect the organisation, your own personal data and patient data. Your personal mobile phone details are not used for any other purpose than protecting your account. By adding the Microsoft Authenticator app to your personal mobile phone this is just providing a method to confirm who you are.

Does my mobile device need to be connected to the internet for MFA?

Whether your mobile device needs to be connected to the internet for MFA depends on the type of authentication method you’re using.

  • Microsoft Authenticator app: If you’re using the Microsoft Authenticator app as your authentication option, the push notification you receive on your phone to approve a sign in requires an internet connection. However, if you are using the app to access a one-time password code, an internet connection is not required.
  • Text message: If you’re using text messages as your authentication option, an internet connection is not required.
  • Call: If you’re using calls as your authentication option, an internet connection is not required.

Please note that if you’re not using your mobile device and are using a FIDO2 token as your authentication option instead after having enabled one of the core options above, an internet connection is required.

If I don't have a smartphone or enough space to download the Microsoft Authenticator app, can I still register for MFA?

The Microsoft Authenticator app is the preferred method and will give you the best experience. The app is available for Android and iOS. If your phone is unable to run the app or you do not have a smartphone, you can select an alternative authentication method such as the ‘Call me’ or text message option. Alternatively, please contact your Local Administrator to discuss alternatives, such as FIDO2 security tokens which can be used as a workaround to bypass MFA once a core option has been enabled on your account.

Can I delete the Microsoft Authenticator app from my mobile device?

Make sure you have an alternative method to authenticate before doing so, such as the call or text message option. You will need this to log in to NHSmail services. Find out more about setting up alternative authentication options here.

I have a new device/ phone number, how do I re-enrol for MFA?

Please refer to guidance here on the steps for all authentication methods to enable MFA for yourself. If you need additional guidance, please contact your Local Administrator.

What if I have problems with the Microsoft Authenticator app?

Please follow the guidance on How to Install Authenticator app and further guidance on steps for How to set up MFA on the Authenticator app.

If your Microsoft Authenticator app is not responding or you are not receiving a code, please ensure that your app is up to date and your device is connected to the internet and has a stable network connection. Your device would further need the permissions to send notifications to be turned on in your device settings.

If the issue persists, please try an alternative verification method such as a text message or phone call.

Set Up & Use

What are the steps to set up MFA?

Find out more about how easy it is to get started with MFA by clicking here.

Important Note: From 5 October 2023 newly created user accounts will have MFA enabled by default. Therefore, the Self-Enrol Steps only apply to accounts created prior to this date.

Do I have to authenticate each time I log in to NHSmail?

You will need to re-authenticate on each device and each browser you log into. For desktop and mobile apps, you will be prompted to authenticate once, and then you will only be prompted again once a key account detail has changed, e.g. you have reset your password.

The above pattern will only change in certain cases where a specific MFA licence has been assigned to you by your organisation.

I am a guest user, does MFA still apply to me?

Yes, as a guest user you can still register for MFA. This helps keeps NHSmail services and data secure and protected. For more information on how to register click here.

What if I have problems with my FIDO2 token?

For more information about FIDO2, please visit this page. You can also contact your local admin or call the Help Desk (0333 200 1133).

What if I have problems with my NHS Smartcard?

Please visit the NHS Care Identity Sign in Support site for more information or contact your local admin.

Will users be able to self-disable MFA?

Users will not be able to self-disable MFA, please contact your Local Administrator for any assistance with MFA.

How can I change my authentication method for MFA?

You can change the authentication method following the steps below

Step 1: Open a window browser and type the link and enter your NHSmail email address and password

Step 2: Select ‘Change’ where you have the default sign-in method.

Step 3: Select the new preferred method to authenticate MFA.

Step 4: After selecting the new preferred method for MFA, click ‘Confirm’

For more details please visit Change your preferred method of authentication for MFA.

Additional Information

How can I contact the Help Desk for support?

Call us on 0333 200 1133 Or open a ticket

For feedback, please contact us via Your Voice or 

How does MFA work for shared mailboxes?

Shared mailboxes, (i.e., when users access the shared mailbox from within their own mailbox without the need to enter a separate password) do not need MFA as they do not have passwords. Please see further guidance on shared mailboxes here.

How can I get an exception for MFA or disable MFA?

If you require an exception for MFA, please speak to your Local Administrator for guidance.

Last Reviewed Date 04/04/2024
Updated on 04/04/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top