Skip to main content

Introduction to supporting Care Identity Authentication and smartcard users

Understand the aims of Care Identity Authentication and how supporting smartcard users will benefit them and the systems they use.

This guidance assumes the reader has some basic knowledge about the original Care Identity Service (CIS) authentication service and the use of smartcards. If this is not the case please see Registration authorities and smartcards for further information about the service and details on the Identity Agent that allows a user to interact with their smartcard.


What is Care Identity Authentication?

Care Identity Service 2 (CIS2) comprises a number of new services that are intended  to compliment and eventually replace the existing Care Identity Service (CIS). One of the new services is Care Identity Authentication (formerly known as NHS Identity) that provides an alternative to the existing Care Identity Service (CIS) authentication service. Care Identity Authentication has a number of key aims:

  • Enable the use of new authentication mechanisms in care settings where a smartcard may not be appropriate, for example biometrics on mobile devices.
  • Simplify the effort required to integrate an application with the authentication service.
  • Remove the dependency on out dated technology such as IE11 and Java applets.
  • Allow the use of the latest operating systems and browsers.

To enable these aims Care Identity Authentication is providing an OpenID Connect (OIDC) solution. OIDC is an Internet Engineering Task Force (IETF) standard that defines a protocol for applications to request a user authentication from an Identity Provider (IdP) such as Care Identity Authentication. More information about OIDC can be found at OpenID Connect (OIDC) overview.

OIDC is a modern, widely understood and adopted protocol that greatly simplifies the integration effort required by application developers and has the key benefit of isolating the application from the details of the authentication mechanism used. To use OIDC an application makes simple HTTP requests and the IdP takes care of the technology needed to authenticate the user, this is in contrast to the existing CIS authentication service which requires an application developer to create their own Java Applet to communicate with the Identity Agent directly.

These benefits are well demonstrated by the Mobile SCRa application currently being used by the London Ambulance Service (LAS) to access patient's Summary Care Records. This application can be used used both on iPads carried by paramedics and by call handlers working at a desktop. In both cases the application makes the same simple HTTP calls and Care Identity Authentication takes care of the technology required to authenticate the user based on the device they are using; on iPads this is via the fingerprint reader whereas in the call centre this is achieved using a smartcard.

Whilst bringing many benefits it is understood that the transition to Care Identity Authentication will take some time due to the large number of existing applications that have been created to work with the CIS authentication service. With this in mind Care Identity Authentication has been carefully designed to enable a gradual transition by adopting the following strategy:

  • Developers of new applications will be recommended to adopt Care Identity Authentication in order to realise the benefits outlined above.
  • Care Identity Authentication will continue to support the use of smartcards via an Identity Agent.
  • Applications using Care Identity Authentication will be able to co-exist on a device with applications using the CIS authentication service.

The rest of this document provides guidance on how devices may be configured in accordance with this strategy.

Last edited: 19 April 2021 4:27 pm