Multi-Factor Authentication (MFA)
MFA helps protect you by making it more difficult for someone else to sign in to your NHSmail account.
This uses two different forms of identity: something you know (your password), and something you have (like a mobile device or phone number).
Thumbnail images
There are images to the left of some of the steps in this guide showing more detail. Click or tap on the image to expand it and then on close or outside the image to return to this guide.
There is important information in this guide so please don't rely on the images alone.
Setting up
If you aren't already logged in, log in to the NHSmail portal (https://portal.nhs.net/) using the 'Login' link or click here and log in.
Confirm whether multi-factor authentication (MFA) is already enabled on your account
Select one of the tabs below, depending on whether you are currently able to log in without multi-factor authentication.
1. Select 'Profile' from the navigation bar and then 'My Profile' from the menu that appears.
2. Select the 'Self-Service' tab and then 'Self-enroll for Azure MFA'.
3. Select 'Confirm'.
You may see a success notification near the top right of the page briefly.
4. Select 'Logout'.
5. Select 'Click Here' to go back to the portal and log in again.
You will now be able to enrol a method for multi-factor authentication.
1. Select 'Click me to enrol Multi-Factor Authentication' to proceed.
2. Once redirected to this page, select 'Next' to start.
3. This page allows you to choose a preferred authentication method.
Authentication method
There are three options that you can choose from to authenticate your account; the Microsoft Authenticator app, a different authenticator app or a phone.
The easiest and most secure option to use is the Microsoft Authenticator app if you have a phone or tablet that you can install it on as once it is set up, you can use it to generate a verification code even when your device isn't receiving mobile network signal.
If you do not have access to a device that you can install the mobile app on, the phone option allows you to receive a text message containing a verification code to enter in to the sign-on screen or receive a phone call to verify your sign-in attempt. The time taken to receive a text message or phone call may vary based on your phone network or mobile signal.
Use of office phones for authentication is not supported by NHSmail
This is not recommended if you are able to use another method for the following reasons:- You will require access to the specific office telephone number to verify your sign-in on new devices.
- MFA does not support routing of calls via switchboards or other telephony routing services. A direct dial telephone number is required.
Select how you would like to set up multi-factor authentication
Select one of the tabs below, depending on whether you would like to use the authenticator app.Mobile app enrolment
1. On your mobile device, install and open the “Microsoft Authenticator” app.
You will find this in the App Store on Apple devices or the Play Store on Android devices.
The app is free and it is not listed with 'In-App Purchases'.
2. Review and agree to the privacy statement.
3. Select “Scan a QR code”.
4. Allow the app to access your camera. This prompt varies depending on whether you're using an Apple or Android device.
On an Apple device, also allow the app to send you notifications when prompted.
5. Back on your computer, select 'Next'.
6. Select 'Next' again.
7. Scan your QR code with the authenticator app on your mobile device.
8. Once the app recognises the QR code, select 'Next' on your computer.
A test notification will be sent to the authenticator app on your mobile device.
9. Back on your mobile device, enter the number displayed from your computer and select 'Yes' to complete enrolling the authenticator app.
Back on your computer, confirmation of successful verification will be displayed.
10. Select 'Next'.
11. Select 'Done'.
A notification will be sent to the authenticator app on your mobile device.
12. Back on your mobile device, enter the number displayed from your computer and select 'Yes' to complete logging in.
13. Back on your computer, select 'Yes' to reduce the number of times you are asked to sign in if you are logged in to the computer using an account that only you can access.
If you are using a publicly accessible computer or not logged in with your own account, select 'No'.
This page shows the methods set up on your account for multi-factor authentication.
If you delete all methods, you will be prompted to set up multi-factor authentication again when you next log in.
If you have access to another device you can install the authenticator app on or a phone that you can receive a text message to or direct phone call on, we recommend adding it as a backup method.
1. Select '+ Add sign-in method'
2. To add a phone number, select 'Phone' from the drop-down list of methods and then select 'Add'.
3. Select 'United Kingdom (+44)' from the drop-down list of countries and enter your phone number.
You may find it more convenient to use a mobile phone number as this will allow you to receive a text message with a verification code instead of a phone call.
If you can't receive text messages on your phone, select 'Call me' instead of 'R a code'.
4. Select Next.
There is more information about SIM swapping here:
https://www.europol.europa.eu/cms/sites/default/files/documents/sim_swapping.pdf
You can use a personal mobile phone number if you expect to have access to it when signing in to NHSmail on new devices, this is only used for account security.
It is not expected that you will be charged as no outgoing calls are made and no messages are sent from the phone during multi-factor authentication.
Standard call and SMS charges may apply if you try to access your account from outside the UK (incurring roaming charges).
These charges may also apply if your telecommunications provider has set charges for incoming calls or messages.
5. Enter the 6 digit code you receive by text message and select 'Next'.
The code is valid for 3 minutes. If you do not receive the code or if it expires before you are able to enter it, check the phone number displayed is correct and select 'Resend code'.
If you selected 'Call me', answer your phone and press the hash (#) key on your phone's keypad when prompted.
6. When you receive confirmation your phone was registered successfully, select 'Done'. You can now close this window and log back in to NHSmail to access your email.
Phone enrolment
There is more information about SIM swapping here:
https://www.europol.europa.eu/cms/sites/default/files/documents/sim_swapping.pdf
1. Select 'I want to set up a different method'.
2. Select 'Phone' from the drop-down list of methods and then select 'Confirm'.
3. Select 'United Kingdom (+44)' from the drop-down list of countries and enter your phone number.
You may find it more convenient to use a mobile phone number as this will allow you to receive a text message with a verification code instead of a phone call.
If you can't receive text messages on your phone, select 'Call me' instead of 'Text me a code'.
4. Select Next.
You can use a personal mobile phone number if you expect to have access to it when signing in to NHSmail on new devices, this is only used for account security.
It is not expected that you will be charged as no outgoing calls are made and no messages are sent from the phone during multi-factor authentication.
Standard call and SMS charges may apply if you try to access your account from outside the UK (incurring roaming charges).
These charges may also apply if your telecommunications provider has set charges for incoming calls or messages.
5. Enter the 6 digit code you receive by text message and select 'Next'.
The code is valid for 3 minutes. If you do not receive the code or if it expires before you are able to enter it, check the phone number displayed is correct and select 'Resend code'.
If you selected 'Call me', answer your phone and press the hash (#) key on your phone's keypad when prompted.
6. When you receive confirmation your phone was registered successfully, select 'Next'.
If you are prompted to create an App password, you can name it anything between 8 and 16 characters and select 'Next'.
Select 'Done'.
You do not need to make a note of the app password if displayed as you should not need to use it for anything.
7. Select 'Done'.
8. Select whether you would prefer to to receive a text message or a phone call.
9. Enter the 6 digit code you receive by text message and select 'Verify'.
If you selected 'Call me', answer your phone and press the hash (#) key on your phone's keypad when prompted.
10. Select 'Yes' to reduce the number of times you are asked to sign in if you are logged in to the computer using an account that only you can access.
If you are using a publicly accessible computer or not logged in with your own account, select 'No'.
This page shows the methods set up on your account for multi-factor authentication.
If you were prompted to create an app password before, you can delete it now.
If you delete all methods, you will be prompted to set up multi-factor authentication again when you next log in.
Logging in
Once multi-factor authentication is set up, you will be prompted to approve sign in attempts on new devices.
If you set up the authenticator app as your preferred method, on your mobile device, enter the number from the login page and select 'Yes'.
If you don't use the authenticator app, answer your phone and press the hash (#) key on your phone's keypad when prompted.
If your prefer to use a verification code generated through the app or sent to your phone by text message, enter the verification code when prompted.
Verification codes can only be used once
Each app generated code is only valid for 30 seconds.
Each text message code is only valid for 3 minutes.
If you don't receive the approval notification, don't have access to the mobile device your authenticator app is installed on or aren't able to answer the phone number set as your preferred method, select “Use a different verification option” and select another option.
If the mobile device you set up the authenticator app on doesn't have internet access, open the app and select your NHSmail account to display a verification code.
Enter your verification code on the login page and select 'Sign in'.
If you can't use any of the authentication methods on your account, you will need to raise a request through our IT Servicedesk to reset multi-factor authentication.
Only approve sign in attempts that you initiate
If you receive a prompt to approve a sign in attempt that you didn't initiate, do not approve it and change your NHSmail password as soon as possible.Password hygiene
A good way to create a strong and memorable password is to use three random words. Be creative and try use words that are memorable to only you, so that people can’t guess your password.
Do not use the same password on multiple systems.
If you have a number in your password, do not increment the number by 1 when you change your password.
Updating your preferences / Authentication Issues
To add additional methods for or make changes to multi-factor authentication visit https://mysignins.microsoft.com/security-info.
If you are not already signed in to your account, the page will prompt you to login.
If you were prompted to create an app password before, you can delete it now.
If you delete all methods, you will be prompted to set up multi-factor authentication again when you next log in.
Remember
We recommend using the Microsoft Authenticator app if you have a device you can use it on as it is not vulnerable to SIM swapping.
There is more information about SIM swapping here:
https://www.europol.europa.eu/cms/sites/default/files/documents/sim_swapping.pdf
Troubleshooting
It is not possible to disable multi-factor authentication on accounts that have previously been detected as compromised.
If you require further assistance, please raise a request through our IT Servicedesk.