Windows Hello
Information about NHS CIS2 Authentication Windows Hello
Windows Hello
Windows Hello is a secure authentication mechanism that uses biometrics (face/fingerprint) or a PIN to authenticate a user.
It's a great alternative to smartcards that requires no installation of software, certificate renewal or even hardware to carry around.
I didn't even know Windows Hello was a thing and now I can just use my face to log into NHSmail and CIM. It's great.
Convenient
- No need for a smartcard or reader
- Uses facial recognition (a good option if the environment requires the user to wear gloves which makes providing a fingerprint inconvenient)
- Uses fingerprints (a good option if the environment requires the user to wear a mask which makes providing their face inconvenient)
- Uses a PIN (a good option if the environment requires the user to wear a mask and gloves which makes providing their face or a fingerprint inconvenient)
Choosing Windows Hello
Users tend to find authenticating with Windows Hello works well when they:
- work on a single Windows device
- have a Windows device (tablets, laptops) with a built in camera / fingerprint reader
- are mobile, working in different buildings/offices
- wear gloves (which makes providing a fingerprint inconvenient)
Secure
NHS England security standards require Trusted Platform Modules (TPM) to meet the following criteria:
-
TPM 2.0 hardware
-
Windows 10 OS (minimum)
I’ve been using Windows Hello and really like it, I wish all systems were CIS2 now so I can just use Windows Hello.
Reliable
NHS CIS2 Authentication is a platinum service, supported 24 hours a day, 7 days a week.
See our latest availability statistics.
Case study
Pharmacists accessing NCRS
The organisation and service
Weldricks Pharmacies offer a full range of pharmacy services including prescriptions, medicine sales and health and beauty sales. They are concentrated in South Yorkshire with over 600 trained staff including over 80 pharmacists, 9 of who are clinical pharmacists.
As part of wanting to improve the quality of the service they provide, they wanted their pharmacists to be able to access NCRS without the restriction of having to use a desktop connected to a HSCN.
Moving to NHS CIS2 Authentication
To start using NHS CIS2 Authentication, the Weldricks pharmacists needed to register their Windows devices with their RA. Each user was supported by their local RA who helped to register the Windows Hello device to the user's Care Identity profile.
Windows Hello was enabled by local IT on the existing Windows 10 laptops and provided to the users.
The experience
The pharmacists at Weldricks found the registration process to be very quick and simple.
They can now access patient's information from NCRS using their face to authenticate.
The portability coupled with the simplicity of being able to use my face to access the NCRS makes this invaluable. I wouldn’t like to be without this or go back to using a smartcard.
Considerations for organisations providing IT Support
- No additional software is needed as it uses open standards - just procure, register and use
- No certificate renewals required
Windows 11
A change in the Win11 22H2 version of windows is incompatible with the registration process for Windows Hello on the CIS2 Authentication platform. This has now been fixed. If you are still experiencing issues related to registration of the device, please raise a ticket with the NHS Digital Customer Portal.
Procurement
Windows Hello comes with all modern Windows devices and can typically be provisioned to users with minimal effort, assuming the Windows device has:
- Windows 10 or Windows 11
- a valid TPM
- a camera/fingerprint scanner - for authentication using biometrics
Registering devices to users
Each user must:
- have their own Windows device
- register their Windows device to their Care Identity profile, supported by a Registration Authority (RA)
Network Configuration
NHS CIS2 Authentication is primarily an Internet Only service, therefore, some configuration may be required to enable access:
- out to NHS CIS2 Authentication
- in from NHS CIS2 Authentication
Out to NHS CIS2 Authentication
Both end users and applications need to be allowed to send requests out to https://am.nhsidentity.spineservices.nhs.uk/.
This domain is on randomly allocated IP address and is subject to change.
In from NHS CIS2 Authentication
Whenever the user's NHS CIS2 Authentication session is destroyed (e.g. on expiration), NHS CIS2 Authentication can send Back-Channel Logout requests to the application.
These requests come from a small number of fixed IP ranges.
The relying party application, therefore, may require that its hosting network allows requests from NHS CIS2 Authentication to be routed through firewalls to the application.
If the application is installed within trust networks, it is recommended that these are isolated on web servers and not directly exposed on critical internal servers.
Support
You can get support by going to the NHS Digital Customer Portal or emailing [email protected]
Our vision is evolving as we learn
There are lots of features we are working on and considering for the future.
We'd love to hear what you think.
To suggest, comment or vote on these features, visit our feedback portal or contact us by emailing [email protected]
Last edited: 18 September 2024 12:47 pm