NHSmail multi-factor authentication rolls out for all users

Multi-factor authentication (MFA) will soon be mandatory for all NHSmail users. The NHSmail team has announced that users will be prompted to enable MFA from mid-August, and an MFA timeline will be introduced to support the rollout

This initiative follows earlier announcements (late 2023 onwards) about NHSmail MFA becoming mandatory.

What is MFA?                                                  

Normally, you use your email address and password to log into your NHSmail account. MFA is an additional security measure that verifies your identity when logging in, helping to prevent unauthorised access to NHSmail accounts. It will become the default method for accessing NHSmail accounts.

How do I enable MFA on my NHSmail account?

Instructions for enabling MFA can be found in this briefing and on the NHSmail support website MFA webpages.

These guidance materials explain that NHSmail users may enable MFA by:

  1. Logging in to the NHSmail portal (https://portal.nhs.net)
  2. Going to ‘Profile’, then ‘My Profile’
  3. Selecting ‘Self-Service’, then ‘Self-enroll for MFA’.
  4. Selecting how MFA notifications will be received for the NHSmail account holder:
    • a Microsoft authentication app on a personal or work device (recommended option);
    • text message;
    • phone call; or
    • a ‘FIDO2 token’ (a hardware device used for authentication).

MFA roll-out timelines

The NHSmail team has outlined the timeline for the MFA rollout. MFA will become mandatory for NHSmail users starting this Autumn. Key dates to note:

  • From August 19th, existing NHSmail users logging in will receive a notification to enable MFA. This prompt can be bypassed for 14 days.
  • Accounts without MFA by 2nd September 2024 will need to meet additional security requirements, including a longer password that must be reset every three months.
  • New users setting up personal accounts will be prompted to enable MFA during sign-up (from late July 2024).

MFA benefits

MFA has been available on the platform for some time and may already be in use for NHSmail and personal accounts, such as online banking. MFA offers several benefits:

  • More than 99.9% of accounts compromised by cyber attacks can be protected by using MFA (Source: Microsoft).
  • MFA can prevent disruption to patient care, referrals and appointments
  • MFA helps safeguard patient data in a more secure environment

As online working becomes more prevalent the need to protect yourself and the data you handle is increasingly important. NHSmail is a secure communication platform, and the introduction of MFA across all user accounts aims to maintain this security. The Data Security and Protection Toolkit (DSPTK) and the Information Commissioner’s Office (ICO) has recommended that MFA is used where possible for online accounts.

FAQs

What lessons are being taken from other pharmacy MFA rollouts?

Community Pharmacy England has shared feedback with NHS England and the NHSmail team regarding the experiences of pharmacy teams during the recent MFA rollout in a clinical services IT system.

How do I enable MFA?

For detailed instructions, refer to this step-by-step guide on enabling MFA for pharmacy NHSmail.

It’s crucial for pharmacy team members using NHSmail to enable MFA as soon as possible to identify and address any early issues.

We value your feedback on your experience with MFA, including any suggestions for improving the NHSmail MFA process for pharmacy use.

Please share your feedback at cpe.org.uk/itfeedback. We will continue to collect your feedback and share it with the NHSmail team.

Will my shared mailbox require MFA protection?

Shared mailboxes and accessed by logging in through the personal NHSmail user account. The shared mailboxes do not have their own MFA protection, because this is not needed.