1. Home
  2. Guidance
  3. General Guidance
  4. Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA)

Overview

MFA helps protect users by making it more difficult for someone else to sign in to their NHSmail account. It uses two different forms of identity: the user’s password, and a contact method.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) provides an additional layer of security to your NHSmail account when signing in to NHSmail via a web browser. As a Local Administrator (LA) you will have MFA automatically enabled on your NHSmail account. You will continue to sign in to NHSmail with your username and password.

In addition to this, you will be required to authenticate your sign-on via a secondary method (for example, a text message code). This guide provides guidance on registering for and signing in with MFA. MFA helps protect users by making it more difficult for someone else to sign in to their NHSmail account. It uses two different forms of identity: the user’s password, and a contact method.

Even if someone else finds the user’s password, they will be prevented from gaining access to the NHSmail account if they do not also have access to the user’s preferred contact method.

Once MFA has been enabled on your account, two-step verification will help keep your NHSmail account secure: a security code will be sent to your mobile phone or generated via the Microsoft authenticator app every time you sign in.

Use of Office Phones for Authentication

Verification of your sign-in can be completed via the Microsoft authenticator app on your mobile device, a security code sent to your mobile device or a telephone call. The use of the office phone option is not recommended or supported by NHSmail. This option is available to users as Multi-factor Authentication is an off-the-shelf feature that cannot be customised. The limitations observed of using this option are outlined on page 4 of this guide. The recommended option for verification is to use the Microsoft authenticator app. Mobile phone numbers are stored for the sole purpose of supporting verification and will not be used for other purposes.

NOTE:

Mobile numbers used to register for an NHSmail account must be UK based. Any NHSmail account registered with non-UK number will be disabled and will need to contact their local organisation to apply a UK based phone number to their NHSmail account. Please see Information – Non-UK registered Phone Numbers for more information.

How do I set up MFA?

To set up MFA you can start by self-enrolling [go to 1.1 Self-Enrol Steps] or by being prompted on the NHS Portal login page.

After this, you will need to select your authentication method and follow the steps below and / or watch the videos to learn how to enrol for MFA.

Note: Remember to always register an alternative method of multi-factor authentication (MFA) for emergencies, such as an alternative mobile phone number or set up the Microsoft Authenticator app on another mobile device.

If you are using a mobile browser to enrol in MFA the steps should follow the same as for desktop browser for all methods, except for Microsoft Authenticator App.

1.1 Self-Enrol

Download the full Step by Step Guidance for Self Enrol

Follow the steps below to enrol in MFA:

  • Step 1: Once Multi-Factor Authentication (MFA) is enabled on your account, sign in with your NHSmail account to begin the set up process at https://portal.nhs.net/
  • Step 2: Click ‘Profile’ in the navigation bar at the top of the screen and select ‘My Profile’ from the drop-down menu
  • Step 3: From ‘My profile’ page, click on ‘Self-Service
  • Step 4: Select ‘Self-enrol’ for MFA
  • Step 5: Click ‘Confirm’ to enable the MFA
  • Step 6: The following success message will be displayed: ‘success: MFA enabled successfully for nhsmailaccount@nhs.net’.

Note: Now that MFA is enabled on the account the authentication method (Mobile app, call, text message or FIDO2 token) requires to be set up. Please, select the method and follow the steps.

1.2 Microsoft Authenticator App

Download the full Step by Step Guidance for Microsoft Authenticator App

Follow the steps below to enrol in MFA:

  • Step 1: Once Multi-Factor Authentication (MFA) is enabled on your account, sign in with your NHSmail account to begin the set up process at https://portal.nhs.net/
  • Step 2: Select ‘Click me to enrol for Multi-Factor Authentication’ to proceed
  • Step 3: Once redirected to this page, select ‘Next’ to start the MFA set up process
  • Step 4: Click ‘Download Now’ to open a new window with the QR code to download the Microsoft Authenticator App
  • Step 5: Scan the QR code that is displayed with the camera on your mobile phone, pointing your mobile phone at the QR code (for Android use the QR code displayed on the left side and for iPhone scan the code on the right side). Then tap on the pop-up banner or QR code icon that appears on your mobile phone screen to be directed to download the Microsoft Authenticator App on your mobile phone
  • Step 6: Click ‘Get’ or ‘Install’ to download the Microsoft Authenticator app on your mobile phone and then click ‘Open’
  • Step 7: Click ‘Open’ to launch the Microsoft Authenticator app on your mobile phone
  • Step 8: After downloading the Microsoft Authenticator App on your mobile phone click ‘Next’
  • Step 9: Open the Microsoft Authenticator App on your mobile phone to set up and then click ‘Next’
  • Step 10: On this screen, open your Microsoft Authenticator App on your mobile device and follow the next steps
  • Step 11: Tap the ‘+’ or ‘+ Add account’ icon to add an account and continue the enrolment process
  • Step 12: On your mobile device select ‘Work or school account’
  • Step 13: A pop-up box will appear on your Microsoft Authenticator App screen, click ‘Scan QR code’
  • Step 14: On the Microsoft Authenticator App screen a QR code reader will appear. Point the mobile device to the screen and scan the QR code
  • Step 15: Click ‘Next’ to be directed to the next step and continue the enrolment process
  • Step 16: Following the approval on the Microsoft Authenticator App this screen will appear – no action needed in this time
  • Step 17: A pop-up box will appear on your Microsoft Authenticator App screen, select ‘Approve’
  • Step 18: After approving the notification in your mobile phone app you will receive the following message ‘Notification approved’, click ‘Next’
  • Step 19: Insert a password name of at least 8 characters and then click ‘Next’. Note: The App password is required for legacy applications that are not supported by MFA.
  • Step 20: After creating a password name you will be provided with a key password – store this password in a safe place and click ‘Done’
  • Step 21: This message will confirm that you have finished your Microsoft Authenticator App set up. Click ‘Done’ and you will be taken to the application initially selected. Congratulations, you have successfully set up MFA!

1.3 Text Message

Download the full Step by Step Guidance for text message

Follow the steps below to enrol in MFA:

  • Step 1: Once Multi-Factor Authentication (MFA) is enabled on your account, sign in with your NHSmail account to begin the set up process at https://portal.nhs.net/

Select at the bottom of the box ‘I want to set up a different method’ to add another option to authenticate your account

  • Step 2: A box with a drop list with the different options to register for MFA will appear on the screen
  • Step 3: This page allows you to choose an alternative option to authenticate your NHSmail account. Select ‘Phone’ Option. Note: The use of the office phone option is not supported by NHSmail. This option is available to users as Multi-factor Authentication is an off-the-shelf feature that cannot be customised.
  • Step 4: Click ‘Confirm’ to continue the register process. Note: This phone number is your preferred contact method, and is not linked to the number listed in your NHSmail Portal profile
  • Step 5: Select your country code from the country options and enter the mobile phone number you would like to use, select ‘Text me a code’ as your authentication method and click ‘Next’. Note: Mobile numbers used to register for an NHSmail account must be UK based.
  • Step 6: Microsoft will send an authentication text code, please check your mobile phone for the six digit number text code (SMS). Note: It is not expected that you will be charged to use this service as no messages will be sent during 2-step verification. However, SMS charges may apply if you try to access your account from outside the UK (incurring roaming charges).
  • Step 7: Enter the six-digit text code received by mobile phone into the text box provided and click ‘Next’ to proceed
  • Step 8: When the code is validated this message will appear on the screen. Click ‘Next’ to be taken to the next page.
  • Step 9: Insert a password name of at least 8 characters and then click ‘Next’. Note: The App password is required for legacy applications that MFA does not support.
  • Step 10: After creating a password name you will be provided with a key password – store this password in a safe place and click ‘Done’
  • Step 11: A message will confirm that you have finished your Microsoft Authenticator App set up. Click ‘Done’ and you will be taken to the application initially selected. Congratulations, you have successfully set up MFA!

1.4 Call

Download the full Step by Step Guidance for phone call

Follow the steps below to enrol in MFA:

  • Step 1: Once Multi-Factor Authentication (MFA) is enabled on your account, sign in with your NHSmail account to begin the set up process at https://portal.nhs.net/

Select at the bottom of the box ‘I want to set up a different method’ to add another option to authenticate your account.

  • Step 2: A box with a drop list with the different options to register for MFA will appear on the screen.
  • Step 3: This page allows you to choose an alternative option to authenticate your NHSmail account. Select ‘Phone’ Option. Note: The use of the office phone option is not supported by NHSmail. This option is available to users as Multi-factor Authentication is an off-the-shelf feature that cannot be customised.
  • Step 4: Click ‘Confirm’ to continue the register process. Note: This phone number is your preferred contact method, and is not linked to the number listed in your NHSmail Portal profile.
  • Step 5: Select your country code from the country options and enter the mobile phone number you would like to use, select ‘Call me’ option and click ‘Next’. Note: Mobile numbers used to register for an NHSmail account must be UK based.
  • Step 6: You will get a call to the registered mobile number. Note: It is not expected that you will be charged to use this service as no outgoing calls during 2-step verification. However, standard call charges may apply if you try to access your account from outside the UK (incurring roaming charges).
  • Step 7: Answer the call and press the # key on the device to verify your identity. Note: the automated message may ask you to press the “pound” key or the “hash” key, but you should always press the # symbol on your telephone keypad.
  • Step 8: Click ‘Next’ to continue the registration process.
  • Step 9: Insert a password name of at least 8 characters and then click ‘Next’. Note: The App password is required for legacy applications that MFA does not support.
  • Step 10: After creating a password name you will be provided with a key password – store this password in a safe place and click ‘Done’.
  • Step 11: A message will confirm that you have finished your Microsoft Authenticator App set up. Click ‘Done’ and you will be taken to the application initially selected. Congratulations, you have successfully set up MFA!

1.5 Alternative Phone

Download the full Step by Step Guidance for Alternative Phone

Follow the steps below to enrol in MFA:

  • Step 1: Open a window browser and type the link https://aka.ms/mysecurityinfo and enter you NHSmail email address and password
  • Step 2: Authenticate your account using the selected method
  • Step 3: Select ‘+Add a sign-in method’ to include other alternatives options to authenticate your NHSmail account
  • Step 4: Select an ‘Alternative phone’ to include a secondary mobile phone number to authenticate MFA. Note: The use of the office phone option is not supported by NHSmail and should not be selected. This shows as an available option to users as it is an off-the-shelf feature that cannot be customised.
  • Step 5: Enter your secondary mobile phone number as an alternative option to authenticate your NHSmail account. Note: Mobile numbers used to register for an NHSmail account must be UK based.
  • Step 6: A call will be made to the registered mobile phone number
  • Step 7: Answer the call and press the # key on the device to verify your identity. Note: the automated message may ask you to press the “pound” key or the “hash” key, but you should always press the # symbol on your telephone keypad
  • Step 8: Click ‘Done’ to finalize the process to register an alternative method for MFA.
  • Step 9: You will be direct to this page where you can check the MFA methods you have registered.

1.6 Change your preferred method of authentication for MFA

Download the full Step by Step Guidance for Changing your preferred method of authentication

Follow the steps below to enrol in MFA:

  • Step 1: Open a window browser and type the link https://aka.ms/mysecurityinfo and enter you NHSmail email address and password
  • Step 2: Select ‘Change’ where you have the default sign-in method.
  • Step 3: Select the new preferred method to authenticate MFA.
  • Step 4: After selecting the new preferred method for MFA, click ‘Confirm’. Congratulations, you have changed your preferred method for MFA successfully!
Last Reviewed Date 07/09/2022
Updated on 07/09/2022

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top