No specific technical approaches to MFA are prescribed or prohibited, but illustrative options are listed below, given in approximate groups of weakest to strongest authentication security. This is not intended as an exhaustive list.
Organisations should use current good practice guidance, such as is published by the UK government, National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency, to inform decisions on approaches and technologies, proportionate to the nature, connectivity and risks of organisational systems.
||SMS or voice message to trusted number
||Should not be used unless no better alternative is available, due to susceptibility to unsophisticated attacks
||Mobile push notification
||Number matching or equivalent two-way verification improves attack resistance
|One-time password (OTP) generated by application or hardware token
||Time-based (TOTP) is more resistant to attack than HMAC-based (HOTP)
|Trusted end user device proved by a device certificate or similar
||Non-exportable credentials are preferable
||Public key infrastructure (PKI), such as NHS Care Identity Service smartcard
|FIDO / WebAuthn or U2F
Organisations must not treat a second ‘knowledge’ requirement (such as security questions) as an additional authentication factor, except for one-time passwords or MFA recovery codes.
Organisations must consider their data protection obligations before deciding on approaches that collect or process additional personal data, such as personal contact details or biometric information.
Organisations should adopt an inclusive approach to MFA that does not expect staff to own or use a personal smartphone for work purposes, or to disclose personal contact information to their employers for MFA purposes.
Organisations may use other authentication services, such as NHS Care Identity Service 2 or NHSmail, to provide multi-factor authentication through federation.