1. Home
  2. Guidance
  3. Compromised Accounts
  4. Remediating Compromised Accounts

Remediating Compromised Accounts

Remediating a compromised account is the reverse process, by which an account is no longer marked as compromised and reverted to its prior state.

The remediation/re-enabling of an NHSmail account that has been or believed to have been compromised should only occur on the basis the following activities have been performed:

  • At least one password reset has been performed on the account from the point the account was identified as compromised

Note: Due to a password reset taking place automatically during the mark as compromised process, this pre-requisite step should have already been completed.

  • A malware scan of the user’s desktop/laptop computer and any mobile devices used to access the NHSmail account around the point in time that the account was identified as compromised.

Once the above two actions have been completed, the remediation process for the account can proceed, allowing the user to regain access to their account.

Importance of Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) provides an additional layer of security to your NHSmail account when signing in to NHSmail via a web browser. It achieves this by requiring you to provide two different forms of identity on sign-in: your NHSmail password and a contact method.

MFA will automatically be enabled if your account is marked as compromised. For security reasons, once it has been enabled in this way, it can never be permanently disabled. This means that MFA will remain enabled on your account, regardless of whether the account is remediated or not.

Once your account has been remediated, you will regain the ability to sign in to NHSmail with your username and new password. In addition to this, you will be required to authenticate your sign-on via a secondary method (for example, a security code will be sent to your mobile phone). This two-step verification will help keep your NHSmail account secure.

Use of Office Phones for Authentication

Verification of your sign-in can be completed via the Microsoft authenticator app on your mobile device, a security code sent to your mobile device or a telephone call. The use of the office phone option is not recommended or supported by NHSmail. This option is available to users as Multi-factor Authentication is an off-the-shelf feature that cannot be customised. The limitations observed of using this option are outlined here. The recommended option for verification is to use the Microsoft authenticator app. Mobile phone numbers are stored for the sole purpose of supporting verification and will not be used for other purposes.

For further information relating to setting up MFA on your devices, please refer to: Multi-Factor Authentication (MFA) – NHSmail Support

How to Remediate a Compromised Account

1. On the ‘User Details’ page for the Compromised Account, click on the ‘Remediate Compromised Account’ button.

 

 

2. Once the dialog box has appeared, select ‘Confirm’ to proceed. If you do not wish for the account to be remediated, select ‘Cancel’. This will close the dialog box and the user account will remain compromised.

 

3. After selecting ‘Confirm’ on the dialog box, you will be directed to the ‘Reset Password’ page. On creating a new password for the user account, select ‘Update’. Please note, it will be your responsibility to share this password with the user.

 

4. After resetting the password for the account, if the remediate process has been successful, the following success notification will be displayed.

Remediated Account View

A remediated account can be identified from the following updates on the User Details page:

 

 

  • Addition of the following note within the Notes field:
    “Account had been identified as compromised but now remediated after local checks have been carried out on the DD-MM-YYYY.”
  • Presence of the “Mark as Compromised” button

Additionally, as part of the remediation process, the account will be re-enabled and reverted to its original status.

e.g. If an account had been in an ‘Active (Leaver)’ state before it was marked as compromised, following the remediation process, it will be reset to its prior status of ‘Active (Leaver)’.

Multi-Factor Authentication on a Remediated Account

For security reasons, following the remediation process, Multi-Factor Authentication will remain enabled on your account indefinitely.

Related Links:

Last Reviewed Date 12/08/2022
Updated on 12/08/2022

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top