New timescales for enabling multi-factor authentication for NHSmail users

We are extending the timescale for implementing multi-factor authentication (MFA) for NHSmail users in response to feedback that some organisations need longer to prepare for these changes.

Instead of working toward a 30 June 2023 deadline, we will support you to make these changes as soon as possible over the next 11 months.

Multi-factor authentication is crucial to strengthening our collective cyber security, so please implement your current plans as quickly as possible. We have published an MFA Policy to outline our approach and below is an overview of this:

1. From 3 July 2023, multi-factor authentication will be enabled by default when new NHSmail user accounts are created. Local administrators will have the ability to disable this if necessary.
2. You will be able to add trusted sites to your organisation where staff will be protected by MFA but not prompted when logging in to their account from a trusted site, creating a better user experience. We will share more details when we have finalised our approach to this.
3. All accounts signing in from outside of the UK will require MFA enabling before travelling.
4. We are enhancing our reporting to give you a better view of multi-factor authentication activity in your organisation.
5. Our guidance and MFA Adoption Toolkit will help support your changeover.
6. Pharmacy, optometry, dentistry and social care (PODS) and application accounts are not in scope until later this year.

We expect most organisations to have fully implemented multi-factor authentication by end of March 2024.

If you have any questions, you can email feedback@nhs.net.