Setting up Time-Based One-Time Password Software Tokens

Various vendors offer software solutions that allow you to configure Software Time-Based One-Time (TOTP) tokens that can be used as a second authentication factor with NHSmail. These are an alternative to other methods currently available on the platform such as the Microsoft Authenticator App.

In all cases, if issues are encountered when setting up or using TOTP solutions, please contact your specific vendor directly for support and assistance. Whilst every effort will be made to provide generic support to resolve common issues, the NHSmail Support Teams will not be able to investigate complex TOTP issues.

This page provides examples from a couple of vendors but is not an exhaustive list of available implementations of the TOTP protocol – please consult your vendor documentation for full and up to date instructions of how to configure these methods with M365/Entra ID.

Important Note:

TOTP tokens although they currently are configurable to use with NHSmail accounts we have not been able to test all implementations of these due to the number available.

Yubico Authenticator

Although Yubico provides many FIDO2 keys some of their keys also allow for the configuration of TOTP tokens through their Desktop (or Phone) Authenticator app. Check that your Yubico device supports TOTP tokens before attempting to configure Yubico Authenticator application.

1. Ensure your Yubico key is plugged in to your device and your Yubico Authenticator app is open

2. Navigate to My Sign-Ins (microsoft.com)

3. Navigate to the Security Info tab

4. Click Add-sign in method

5. Add authentication app

6. Click Add

 

7. I want to use different authenticator app

 

 

 

8. Next

 

 

 

9. Click “Can’t scan image”?

 

 

 

10. Copy the ‘Secret Key’ using the copy button

 

 

 

11. In the Yubico Authenticator App click the settings icon in the top right corner

 

 

12. Add account

 

 

 

13. Input the nhs.net email address in Account name and paste in the secret key copied earlier. Issuer allows you to give a name to the account but is optional.

14. Click save in the top right corner

15. Return to the My Sign In’s page and Click Next

16. Enter the current code from the Yubico Authenticator app to complete the process and click next

 

 

 

 

 

 

17. The newly registered Authenticator app will display in My Sign In’s as shown in the image on the left

 

 

Twilio Authy

Important Note:

Twilio Authy provide both a desktop and mobile app – Twilio will decommission the desktop application from Summer 2024.

1. Ensure the Twilo Authy app is installed on your device

2. Navigate to My Sign-Ins (microsoft.com)

3. Navigate to the Security Info tab

 

4. Click Add-sign in method

5. Add authentication app

6. Click Add

 

7. I want to use different authenticator app

 

 

 

8. Next

 

 

 

9. The image on the left will be displayed – you can scan the QR code with the Authy app

 

 

10. In the Authy app click the “Add Account” button either in the top panel or the Add Account button

 

 

11. Click the Scan QR Code button

 

 

 

12. Rename the account name if required and click Done

 

 

 

13. Return to the My Sign In’s page and Click Next

 

 

 

14. Enter the current code from the newly setup account in the Authy app to complete the process and click next

 

 

15. The newly registered Authy app will display in My Sign In’s as shown in the image

 

 

 

Google Authenticator

1. Navigate to My Sign-Ins (microsoft.com)

2. Navigate to the Security Info tab

3. Click Add-sign in method

 

4. Add authentication app

5. Click Add

 

 

6. I want to use different authenticator app

 

 

 

7. Next

 

 

 

8. The following screen will be displayed as on the left

 

 

 

9. Open the Google Authenticator App on your mobile device

 

 

 

10. Click the + in the bottom right corner of the screen

 

 

 

11. Click Scan QR Code and focus your device’s camera over the displayed QR code on screen. It will return you to the home screen of the Google Authenticator app and display the newly added account like shown in the image

 

12. Return to the mysignins page and Click Next

13. Enter the current code from the Google Authenticator app to complete the process and click next

14. The newly registered Authenticator app will display in My Sign In’s as shown in the image

When signing in you will see either of the following:

After entering your username and password you will be presented with the following screen for portal.nhs.net logins:

Simply open you Google Authenticator app and enter the code displayed and click Sign In

Logging in directly to M365 services (ie. Via portal.office.com) you will see as displayed by the image on the left when prompted for MFA

 

 

Programable Hardware Tokens

Many vendors offer programable hardware tokens that can be configured using either USB or NFC. These tokens allow for authentication without a mobile device or software program on the users device.

Due the varied nature of how these tokens are created we recommend using the vendors documentation to configure these. Below are two vendor examples:

Token2 | 2FA solutions and products | Using programmable hardware tokens with Azure AD B2C | TOKEN2 MFA Products and Services | programmable hardware token, FIDO2 key, U2F key, TOTP, 2FA solutions and products |

How to set up SafeID programmable token on an Office 365 account without privileged access – SafeID – Deepnet Security Technical Guides

We currently cannot support standard hardware tokens (those that come with a serial number or config key) due the way these need to be setup within the central tenant – this is being investigated with Microsoft to see if these can be brought into the future roadmap but unlikely to be during 2024.

Last Reviewed Date 12/02/2024
Updated on 12/02/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top