CIS2 Authentication accessibility statement

NHS England is committed to making its services accessible, in accordance with the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018.

This accessibility statement applies to the NHS CIS2 Authentication service only. It does not cover any websites linked from the service.

This service is run by NHS England. We want as many people as possible to be able to use this service. For example, that means you should be able to:

• change colours, contrast levels and fonts using browser or device settings
• zoom in up to 400% without the text spilling off the screen
• navigate most of the service using a keyboard or speech recognition software
• listen to most of the service using a screen reader (including the most recent versions of JAWS, NVDA and VoiceOver)

AbilityNet has advice on making your device easier to use if you have a disability.

How accessible this service is

Our service is partially compliant with accessibility requirements.

We know some parts of it are not fully accessible:

• Logging in with our service has a short timeout window, which is not displayed visually or announced and cannot be extended, for security reasons. This may make users with cognitive impairments or users of assistive technology, who sometimes need extra time, more likely to experience errors.
• Some of our authenticators require a memorised second factor such as a PIN or password, for security reasons. This may make our service harder to use, especially for users with cognitive impairments.

If you have any feedback or questions about accessibility, please email us at [email protected]

We will respond within 5 working days.

The Equality and Human Rights Commission (EHRC) is responsible for enforcing the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 (the ‘accessibility regulations’).

If you’re not happy with how we respond to your complaint, contact the Equality Advisory and Support Service (EASS).

NHS CIS2 Authentication is partially compliant with the Web Content Accessibility Guidelines version 2.2 AA standard, due to the non-compliances listed below.

The content listed below is non-accessible.

Non-compliance with the accessibility regulations

Timeout

Logging in with our service has a short timeout window, which is not displayed visually or announced and cannot be extended. This may make users with cognitive impairments or users of assistive technology, who sometimes need extra time, more likely to experience errors. This fails WCAG 2.2 success criteria 2.2.1 (timing adjustable) and 4.1.3 (status messages).

For security reasons we do not plan to change this.

Function test

Some of our authenticators require a memorised second factor such as a PIN or password. This may make our service harder to use, especially for users with cognitive impairments. This fails WCAG 2.2 success criteria 3.3.8 (accessible authentication).

For security reasons we do not plan to change this. Users can make the recall of the PIN or password less demanding by using a secure password manager.

We review content throughout the development lifecycle to identify any new problems.

We use the tools and guidance on accessibility in the NHS Digital service manual, which is based on extensive testing. The service manual helps our team build this service to meet the same accessibility standards.

Creating an accessible service is a team effort. We make accessible services by:

• considering accessibility at the start of the project, and throughout
• making accessibility the whole team's responsibility
• researching with disabled users
• using a library of NHS accessible components and patterns
• carrying out regular accessibility audits and testing
• designing and building to level AA of the Web Content Accessibility Guidelines (WCAG 2.2), which is NHS England policy

This statement was prepared on 10 March 2023. It was last reviewed on 12 November 2024.

NHS CIS2 Authentication was last tested in July 2024 against the WCAG 2.2 AA standard, using a self-assessment done by our service team.