Ways to authenticate using NHS Care Identity Service 2

Guidance and information on the different ways you can authenticate using NHS Care Identity Service 2 (NHS CIS2), including the devices you can use.

Introduction

NHS CIS2 offers a single integration process for multiple authentication mechanisms. You can find out more information on the ways to authenticate with NHS CIS2 on this page. For information relating to authenticating in a Path-To-Live environment, please see NHS CIS2 Path to Live process.

Care Identity Service (CIS) smartcard authentication

With the Credential Management Application

We have developed the ability to enable current smartcards users to access internet facing services. Smartcards and access control are secure measures by which clinical and personal information is accessed by only those that have a valid reason to do so. In the future users will be able to use smartcards without a HSCN (N3) connection.

Essentials	Benefits
NHS smartcard	Secure authentication to new internet facing services, for example the Summary Care Record application (SCRa) private beta
Permissions/roles sourced and checked	No change to your current Smartcard or card reader
Software (Identity agent and the Credential Management Application)
A modern internet browser, for example Chrome, Edge and Firefox

Without the Credential Management Application

In situations where the NHS CIS2 hub cannot be installed, we have developed an interim enhancement which allows smartcard authentication to OIDC applications without using the NHS CIS2 hub.

Essentials	Benefits
NHS Smartcard	Secure authentication to new internet facing services, for example the Summary Care Record application (SCRa) private beta
Role based access assigned	Role based access assigned
NHS CIS2 agent	Approved method of authentication where there are delays installing the Credential Management Application
Chrome Smartcard plugin for Google Chrome or Microsoft Edge v79 or above. Java 8 or Active X for IE11	Single solution for any organisation whose applications are not connected via the Credential Management Application – smartcards can be used to access existing smartcard applications as well as new OIDC applications
	Applications can migrate to OIDC whilst users are still on old technology
	Integrates with the existing smartcard solution

The NHS CIS2 authentication service will use information sent by the browser to determine the most appropriate authentication mechanism. It will use either the Chrome Smartcard plugin, an ActiveX Control or a Java applet to access the smartcard software and authenticate the user.

Due to Internet Explorer not using the same high level of identity security protocols, we do not encourage using it as part of NHS CIS2 solutions.

iPad authentication

We have designed and developed a secure biometric authentication system for users who have an individually assigned iPad.

This solution enables access to the Summary Care Record application (SCRa) private beta. This can be useful for direct patient care and being able to reference medication and potential conditions whilst mobile.

Essentials	Benefits
Apple iPad allocated to a single person (generation 5 and above)	Quick access whilst mobile
iOS version 11 and above	Able to use internet to access services
Organisational Mobile Device Management (MDM) Facility	Secure authentication to relevant patient records without a smartcard
Access to Registration Authority (RA) function

Windows 10 tablet authentication

Windows 10 tablets utilise the FIDO2 protocol to authenticate to online services.

Essentials	Benefits
Approved Windows 10 devices	Quick access whilst mobile
Access to Registration Authority (RA) function	Able to use internet to access services
Organisational Mobile Device Management (MDM) Facility	Secure authentication to relevant patient record without a smartcard
Permissions/roles sourced and checked

Security keys authentication

A hardware security key is a small physical device that looks like a USB thumb drive and connects to devices via a USB port (some can connect with NFC). This new solution will allow a user to register an individual security key to enable them to authenticate with NHS CIS2.

Essentials	Benefits
Approved device with operating systems Windows 8.1 and Windows 10	Quick access whilst mobile
Access to Registration Authority (RA) function	Able to use internet to access services
Each individual user must have their own security key	No additional software is needed as it uses open standards
Approved security key	Secure authentication to patient records without the need for a smartcard
	Users can share devices with their own individual security key

Further information

NHS Care Identity Service 2 guidance for developers

Guidance for developers wanting to use NHS Care Identity Service 2 (NHS CIS2) and OpenID Connect 1.0 to verify the identity of users and obtain basic profile information

Last edited: 17 May 2021 1:40 pm