NHS England: multi-factor authentication (MFA) policy

Read our multi-factor authentication (MFA) policy.

About this policy

Published as:

guidance on compliance with DAPB0086: Data Security and Protection Toolkit, an information standard published under s250 of the Health and Social Care Act 2012
guidance to operators of essential services for the health sector, published under s3(3)(b) of the Network and Information Systems Regulations 2018

Applies to:

NHS trusts and foundation trusts
integrated care boards (ICBs)
arm’s length bodies of the Department of Health and Social Care
commissioning support units (CSUs) within NHS England
operators of essential services for the health sector as designated under the Network and Information Systems Regulations 2018

CAF outcomes:

B2.a ‘Identity Verification, Authentication and Authorisation’
B2.c ‘Privileged User Management’

Introduction

Compromising user accounts is a starting point for many cyber security attacks. Common passwords can be breached with unsophisticated attacks, giving attackers easy access to an organisation’s systems and enabling ransomware, and many people use the same or similar passwords on multiple accounts, making a compromise both easier and more damaging.

Users authenticate to systems by presenting proof of something they know (such as a password) something they have (such as a device), or something they are (biometrics). Multi-factor authentication (MFA) – the use of two or more of these authentication factor types – is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed.

Industry research suggests that MFA can prevent 99.9% of account compromise attacks, and MFA is widely considered by cyber security authorities globally to be one of the most important controls that any organisation can deploy. Its use in the NHS will help protect patient data and organisations’ capability to deliver patient care.

This policy sets out requirements for the use of MFA as a cyber security control to establish a consistent minimum expectation. These policy requirements are incorporated into the Data Security and Protection Toolkit (DSPT).

The key words ‘must (not)’, ‘required’, ‘shall (not)’, ‘should (not)’, ‘(not) recommended’, ‘may’, and ‘optional’ in this document are to be interpreted as described in RFC 2119.

Policy objective

The objective of this policy is to promote and ensure widespread use of multi-factor authentication as a fundamental cyber security control, in order to manage the data security risks associated with user credential compromise.

Policy requirement

Organisations:

must enforce MFA on all remote user access to all systems; and
must enforce MFA on all privileged user¹ access to externally-hosted systems; and
should enforce MFA on all privileged user access to all other systems;

except as permitted in the ‘Exceptions’ section of this policy.

‘User’ means any individual (other than a patient or person in care) or system process authorised to access an information system, and ‘user accounts’ therefore includes service accounts.

This policy requirement applies irrespective of whether Cyber Essentials Plus certification is held.

An organisation ‘X’ to which this policy applies must include all services for which it is the controlling recipient, so:

services provided to X by suppliers and partners under contract are in scope for X
services provided by X to a separate contracting authority are out of scope for X. (The contracting authority would be responsible for compliance with this policy, if it is an organisation to which the policy applies)
services procured by X on behalf of other organisations are out of scope for X. (The recipient organisations would be responsible for compliance with this policy, if they are organisations to which the policy applies)

Clarifying scenarios are given in guidance accompanying this policy.

¹Privileged accounts are system administration or other accounts with security-relevant functions (NIST definition).

Exceptions

Permitted exceptions are as follows:

Ser	Exception	Remarks
General exceptions
1	Unprivileged user account access from within the organisation’s trusted corporate network	MFA is required for all user access originating outside the trusted corporate network
2	Access to a system to which the same user has previously authenticated with MFA from the same device	MFA enforced on first access; user may then subsequently access the same system from the same device without MFA, for an organisation-defined period of time (session management)
3	Accounts used solely by patients or people in care	Not in scope of this policy. DCB3051 establishes standards for identify verification and authentication for patients and service users
Specific exceptions
4	Accounts used by staff with disabilities that make MFA unusable	Consider disabilities equality as part of implementation planning and choice of factors
5	Access from specific trusted physical locations	Such as access from prisons and other sites with specific restrictions and compensating controls
6	Systems that cannot support any form of MFA	Federated authentication with an MFA-capable system is considered 'supporting MFA'
7	Situations in which MFA would create disproportionate clinical or operational risk or difficulty	Organisations must consider alternative controls and mitigations for the security risk

Organisations relying on any specific exception (serials 4-7 above) must:

understand, document, risk-assess, and internally approve (at board level or as delegated) all exceptions, with annual review
have and actively pursue plans to minimise or eliminate completely the exceptions; and
retain documentary evidence for audit purposes, and provide a summary within their DSPT submission

Implementation

No specific technical approaches to MFA are prescribed or prohibited, but illustrative options are listed below, given in approximate groups of weakest to strongest authentication security. This is not intended as an exhaustive list.

Organisations should use current good practice guidance, such as is published by the UK government, National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency, to inform decisions on approaches and technologies, proportionate to the nature, connectivity and risks of organisational systems.

Strength	Authentication factor	Remarks
‘Basic’	SMS or voice message to trusted number	Should not be used unless no better alternative is available, due to susceptibility to unsophisticated attacks
'Better'	Mobile push notification	Number matching or equivalent two-way verification improves attack resistance
	One-time password (OTP) generated by application or hardware token	Time-based (TOTP) is more resistant to attack than HMAC-based (HOTP)
	Trusted end user device proved by a device certificate or similar	Non-exportable credentials are preferable
'Best'	Public key infrastructure (PKI), such as NHS Care Identity Service smartcard	Phishing-resistant
'Best'	FIDO / WebAuthn or U2F	Phishing-resistant

Organisations must not treat a second ‘knowledge’ requirement (such as security questions) as an additional authentication factor, except for one-time passwords or MFA recovery codes.

Organisations must consider their data protection obligations before deciding on approaches that collect or process additional personal data, such as personal contact details or biometric information.

Organisations should adopt an inclusive approach to MFA that does not expect staff to own or use a personal smartphone for work purposes, or to disclose personal contact information to their employers for MFA purposes.

Organisations may use other authentication services, such as NHS Care Identity Service 2 or NHSmail, to provide multi-factor authentication through federation.

Last edited: 23 August 2023 5:07 pm