AAL3 passkey private beta
We are running a private beta of an Android application that provides AAL3 passkey access to CIS2 Authentication.
The AAL3 passkey private beta is now live - register your interest.
The NHS England Identity and Access Management team is running a private beta of an Android application that provides AAL3 passkey access to CIS2 Authentication.
The initial private beta is for Android users only, with an iOS version expected before the end of March 2026.
As a reminder, currently a passkey authenticator exists to access AAL2 only applications (eg NCRS, eRS, DoS).
The AAL3 passkey application will allow registered users to access any application that supports non-smartcard authenticators via CIS2. This includes:
- SystmOne
- RIO
- Lorenzo
- EPIC
The AAL3 passkey app supports cross device authentication.
See a full list of applications that support CIS2 authentication.
The AAL3 passkey is downloaded to a user's phone, registered in Care Identity Management and then available to use for authentication. Full step-by-step guidance on registration and authenticating with a AAL3 Passkey is available here.
To register interest in the private beta please complete this form.
What you'll need for the private beta
You will need:
- a phone with Android 14 OS minimum
- Google Lens installed on the device
- the user's Google account email address shared with the Identity and Access Management team
- a link to download the NHS CIS2 Passkey app (provided on request)
- the app enabled within the device's settings
You'll need to set up a meeting with your user, either via video or face-to-face. The passkey registration must be completed in your presence.
They will need to have Bluetooth enabled on their device.
From the Care Identity Management home page, choose 'Find an existing user'.
Enter the user's details and select 'Search'.
Choose 'View profile' on the right of the screen.
Go to the 'Authenticators' tab on the user's profile page and select 'Issue other authenticator'.
Select the 'Passkey' authenticator type and 'Continue'.
You'll now see a screen with instructions on how to register the passkey.
When you've read the instructions and are both ready to proceed, select 'Generate link'.
Copy the link and send it to the user by email, or paste it into the chat function of the video call software you are using.
The user now needs to open the link on the Android device. They'll see this screen and they should select 'More options'.
Select 'CIS2 Auth Credential Provider'.
Select 'Continue'.
Select fingerprint or PIN as the chosen authentication method. Fingerprint authentication must be enabled in the device's settings for that option to be available here.
The Android device should now be registered successfully.
Once the device is registered, to authenticate the user should navigate to the service they're looking to access, and from the list of login methods select 'Windows Hello'.
They should scan the QR code shown on screen using their Android device.
They should continue to follow any additional instructions or steps shown on their device.
They should then choose the passkey listed as 'CIS2 Auth Credential Provider'.
They can then authenticate using their chosen method of fingerprint or PIN.
Known limitations
- Currently users with an AAL2 passkey registered to their Care Identity Service profile cannot register the AAL3 version.
- AAL3 passkey registration will not show on a user's Care Identity Service profile. We can provide a list of registered users on request.
- When the application moves from private beta to full availability, users will need to reregister their device.
More information
To register interest in the private beta please complete this form.
For more information, please email [email protected]
Last edited: 17 February 2026 4:08 pm