Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

NHS England: multi-factor authentication (MFA) policy

Read our multi-factor authentication (MFA) policy.

About this policy

Published as:

  • guidance on compliance with DAPB0086: Data Security and Protection Toolkit, an information standard published under s250 of the Health and Social Care Act 2012
  • guidance to operators of essential services for the health sector, published under s3(3)(b) of the Network and Information Systems Regulations 2018

Applies to:

  • NHS trusts and foundation trusts
  • integrated care boards (ICBs)
  • arm’s length bodies of the Department of Health and Social Care
  • commissioning support units (CSUs) within NHS England
  • operators of essential services for the health sector as designated under the Network and Information Systems Regulations 2018

CAF outcomes:

  • B2.a ‘Identity Verification, Authentication and Authorisation’
  • B2.c ‘Privileged User Management’


Compromising user accounts is a starting point for many cyber security attacks.  Common passwords can be breached with unsophisticated attacks, giving attackers easy access to an organisation’s systems and enabling ransomware, and many people use the same or similar passwords on multiple accounts, making a compromise both easier and more damaging.

Users authenticate to systems by presenting proof of something they know (such as a password) something they have (such as a device), or something they are (biometrics).  Multi-factor authentication (MFA) – the use of two or more of these authentication factor types – is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed.

Industry research suggests that MFA can prevent 99.9% of account compromise attacks, and MFA is widely considered by cyber security authorities globally to be one of the most important controls that any organisation can deploy.  Its use in the NHS will help protect patient data and organisations’ capability to deliver patient care.

This policy sets out requirements for the use of MFA as a cyber security control to establish a consistent minimum expectation. These policy requirements are incorporated into the Data Security and Protection Toolkit (DSPT).

The key words ‘must (not)’, ‘required’, ‘shall (not)’, ‘should (not)’, ‘(not) recommended’, ‘may’, and ‘optional’ in this document are to be interpreted as described in RFC 2119.

Policy objective

The objective of this policy is to promote and ensure widespread use of multi-factor authentication as a fundamental cyber security control, in order to manage the data security risks associated with user credential compromise.

Policy requirement


  • must enforce MFA on all remote user access to all systems; and
  • must enforce MFA on all privileged user1 access to externally-hosted systems; and
  • should enforce MFA on all privileged user access to all other systems;

except as permitted in the ‘Exceptions’ section of this policy.

‘User’ means any individual (other than a patient or person in care) or system process authorised to access an information system, and ‘user accounts’ therefore includes service accounts.

This policy requirement applies irrespective of whether Cyber Essentials Plus certification is held.

An organisation ‘X’ to which this policy applies must include all services for which it is the controlling recipient, so:

  • services provided to X by suppliers and partners under contract are in scope for X
  • services provided by X to a separate contracting authority are out of scope for X.  (The contracting authority would be responsible for compliance with this policy, if it is an organisation to which the policy applies)
  • services procured by X on behalf of other organisations are out of scope for X.  (The recipient organisations would be responsible for compliance with this policy, if they are organisations to which the policy applies)

Clarifying scenarios are given in guidance accompanying this policy.

1Privileged accounts are system administration or other accounts with security-relevant functions (NIST definition).


Permitted exceptions are as follows:

Ser Exception Remarks
General exceptions
1 Unprivileged user account access from within the organisation’s trusted corporate network MFA is required for all user access originating outside the trusted corporate network
2 Access to a system to which the same user has previously authenticated with MFA from the same device MFA enforced on first access; user may then subsequently access the same system from the same device without MFA, for an organisation-defined period of time (session management)
3 Accounts used solely by patients or people in care Not in scope of this policy. DCB3051 establishes standards for identify verification and authentication for patients and service users
Specific exceptions
4 Accounts used by staff with disabilities that make MFA unusable Consider disabilities equality as part of implementation planning and choice of factors
5 Access from specific trusted physical locations Such as access from prisons and other sites with specific restrictions and compensating controls
6 Systems that cannot support any form of MFA Federated authentication with an MFA-capable system is considered 'supporting MFA'
7 Situations in which MFA would create disproportionate clinical or operational risk or difficulty Organisations must consider alternative controls and mitigations for the security risk

Organisations relying on any specific exception (serials 4-7 above) must:

  • understand, document, risk-assess, and internally approve (at board level or as delegated) all exceptions, with annual review
  • have and actively pursue plans to minimise or eliminate completely the exceptions; and
  • retain documentary evidence for audit purposes, and provide a summary within their DSPT submission


No specific technical approaches to MFA are prescribed or prohibited, but illustrative options are listed below, given in approximate groups of weakest to strongest authentication security. This is not intended as an exhaustive list.

Organisations should use current good practice guidance, such as is published by the UK government, National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency, to inform decisions on approaches and technologies, proportionate to the nature, connectivity and risks of organisational systems.

Strength Authentication factor Remarks
‘Basic’ SMS or voice message to trusted number Should not be used unless no better alternative is available, due to susceptibility to unsophisticated attacks
'Better' Mobile push notification Number matching or equivalent two-way verification improves attack resistance
One-time password (OTP) generated by application or hardware token Time-based (TOTP) is more resistant to attack than HMAC-based (HOTP)
Trusted end user device proved by a device certificate or similar Non-exportable credentials are preferable
'Best' Public key infrastructure (PKI), such as NHS Care Identity Service smartcard Phishing-resistant
FIDO / WebAuthn or U2F

Organisations must not treat a second ‘knowledge’ requirement (such as security questions) as an additional authentication factor, except for one-time passwords or MFA recovery codes.

Organisations must consider their data protection obligations before deciding on approaches that collect or process additional personal data, such as personal contact details or biometric information.

Organisations should adopt an inclusive approach to MFA that does not expect staff to own or use a personal smartphone for work purposes, or to disclose personal contact information to their employers for MFA purposes.

Organisations may use other authentication services, such as NHS Care Identity Service 2 or NHSmail, to provide multi-factor authentication through federation.

Last edited: 23 August 2023 5:07 pm