Reminder: Mandatory NHSmail Multi-Factor Authentication for all users
Multi-Factor Authentication (MFA) is becoming mandatory for all NHSmail users. The NHSmail team previously announced that users would be prompted to enable MFA from late 2024, and a rollout timeline was introduced to support this transition.
This initiative follows earlier announcements (from 2023 onwards) about NHSmail MFA becoming a mandatory requirement.
What is MFA?
Previously, you logged into your NHSmail account using your email address and password. MFA is an additional security measure that verifies your identity when logging in, helping to prevent unauthorised access to NHSmail accounts. It is becoming the default method for accessing NHSmail accounts and you are likely to be familiar with the approach from other IT systems you use, such as online banking and shopping websites.
How do I enable MFA on my NHSmail account?
Instructions for enabling MFA can be found in this briefing and on the NHSmail support website MFA webpages.
To enable MFA, NHSmail users should:
- Log in to the NHSmail portal (https://portal.nhs.net)
- Go to ‘Profile’, then ‘My Profile’
- Select ‘Self-Service’, then ‘Self-enroll for MFA’.
- Choose how MFA notifications will be received:
- A Microsoft authentication app on a personal or work device (recommended option);
- A text message;
- A phone call; or
- A ‘FIDO2 token’ (a hardware device used for authentication).
MFA roll-out
NHSmail security team will notify users who have not yet enabled MFA about the upcoming impacts on their accounts if MFA is not activated, which may include access to Microsoft NHSmail 365 services being halted until MFA is applied.
The vast majority of NHSmail users have now alread enabled MFA.
Users who have not enabled MFA will be prompted to enrol the next time they log in to the Portal, Outlook Web/Desktop Apps or any other 365 service.
MFA benefits
MFA has been available on the platform for some time and you may already use it for within other IT systems, such as online banking. It offers several key benefits:
- Enhanced security: More than 99.9% of accounts compromised by cyber attacks can be protected by using MFA (Source: Microsoft).
- Minimised disruption: MFA can prevent disruption to patient care, referrals and appointments.
- Better data protection: MFA helps safeguard patient data by providing a more secure environment.
As online working becomes more common, protecting yourself and the data you handle is increasingly important. NHSmail is a secure communication platform and MFA aims to further strengthen security across all user accounts.
The NHS Data Security and Protection Toolkit (DSPTK) and the Information Commissioner’s Office (ICO) recommended enabling MFA for online accounts.
FAQs
What lessons are being taken from other pharmacy MFA rollouts?
Community Pharmacy England has shared feedback with NHS England and the NHSmail team regarding the experiences of pharmacy teams during the MFA rollout in a clinical services IT system in early 2024 to help inform the rollout of MFA within NHSmail.
How do I enable MFA?
For a step-by-step guide to enabling MFA for pharmacy NHSmail accounts, please refer to this detailed instruction guide:
Step-by-step guide on enabling MFA for pharmacy NHSmail.
It is essential that pharmacy team members enable MFA as soon as possible to identify and resolve any early issues.
We value your feedback on your experience with MFA, including any suggestions for improving the NHSmail MFA process for pharmacy use. Please share your feedback at cpe.org.uk/itfeedback. We will use your feedback in ongoing discussions with the NHSmail team.
Will my shared mailbox require MFA protection?
No. Shared mailboxes are accessed via personal NHSmail user accounts, which need to have MFA applied to them. Since users log in through their personal accounts, shared mailboxes do not need separate MFA protection.
