Multi-Factor Authentication (MFA) on the NHSmail (NHS.net) email service
To enhance your security and to protect patient data, NHS England will activate Multi-Factor Authentication (MFA) on the NHSmail service on 30 June 2024.
In preparation, all NHS.net email users, except those working in secure care*, must set up MFA on their account before 30 June 2024.
Setting up MFA now will protect your account and will prevent any disruption to your email access as a result of you having to set up MFA at an inconvenient time.
What is MFA?
MFA protects you by asking you to prove (authenticate) who you are by providing a second form of identification (ID), in addition to your username and password.
To provide this second form of ID, it is recommended that you use the Microsoft Authenticator app on your work or personal mobile device to generate a unique code that can be used to verify your identity. This will help prevent anyone but you from accessing your NHS.net account - even if they know your password.
Using the Microsoft Authenticator app
The Microsoft Authenticator app (shown below) is one of the most popular and reliable authentication apps. You might already have it on your personal phone for online services like banking, shopping, and social media. This is the reason NHSmail is recommending the use of Microsoft Authenticator to help limit the number of apps you need to navigate as part of your daily routine.
If you don’t already have Microsoft Authenticator, you can install the app for free from the App Store or Google Play store.
The app uses only a small amount of mobile data. If your device is connected to Wi-Fi, no mobile data will be used to install and use the app. Please consider connecting to NHS Wi-Fi whilst on site.
Setting up MFA
To continue using your NHS.net email account you need to set up MFA on your NHS.net account by following our step-by-step guide. This will require access to either a work or personal mobile device.
If you don’t have access to a mobile device, please do not set up MFA. Similarly, if you access a shared mailbox, which other people also sign in to, please do not set up MFA on this account.
*Colleagues working in secure care should not set up MFA and further guidance will be circulated.
Do you still need to use NHS.net?
If you are only using the NHS.net service as a secure method of sending emails, please be aware that your organisation's email account may already be accredited to the same security standard (DCB1596) as the NHSmail (NHS.net) service.
For more information, please refer to the list of accredited organisations that are compliant with the secure email standard. If you have any queries please contact your IT Service Desk or Information Governance (IG) Team.