Skip to main content

Authentication Service

Authentication is the process that ensures and confirms a subject’s identity to a particular assurance level. The higher the assurance level, the more confident a client system can be that the subject is who they say they are.

Introduction

The NHS Identity Authentication Service offers the following benefits:

  • NHS Identity currently authenticates against around 1 million care worker identities in its repository; registered and checked to a high level of confidence
  • several new methods of verifying the subject, such as one time passwords, push notifications, knowledge based secrets, biometric touch id, Windows Hello, cryptographic certificates, FIDO2 supported devices and OIDC Smartcards
  • multi-factor authentication is supported
  • NHS Identity can check contextual central rules pre and post authentication to reduce risk, such as finding out if a mobile device been linked to a user, if the location of the subject allowed and if the identity information for a user ever been captured by cyber-attack
  • a single sign on cookie can be created and maintained to reduce user friction
  • a step up to a higher assurance of authentication can be triggered if a subject requests access to resources that require it
  • audits authentications for adherence to governance
  • uses OpenID Connect standard authentication protocol championed by Microsoft and Google

Authentication types

To satisfy the requirements of a given Authenticator Assurance Level (AAL), a claimant SHALL be authenticated with at least a given level of strength to be recognised as a subscriber. The result of an authentication process is an identifier that SHALL be used each time that subscriber authenticates to that Relying Party (RP). Subscriber identifiers should not be reused for a different subject but SHOULD be reused when a previously-enrolled subject is re-enrolled by the Credential service Provider (CSP). Other attributes that identify the subscriber as a unique subject MAY also be provided. The NHS Identity provides several authentication options that can be leveraged depending on the needs of the client users.

AAL1: AAL1 provides some assurance that the claimant controls an authenticator bound to the subscriber’s account. AAL1 requires either single-factor or multi-factor authentication using a wide range of available authentication technologies. Successful authentication requires that the claimant prove possession and control of the authenticator through a secure authentication protocol.

NHS Identity’s AAL1 authentication supports the following authenticator types:

  • Memorised Secret
  • Single-Factor One-Time Password (OTP) Device

The other Authentication types suggested by the National Institute of Standards and Technology (NIST) guidelines are:

  • Out-of-Band Devices
  • Look-Up Secret
  • Multi-Factor OTP Device
  • Single-Factor Cryptographic Software
  • Single-Factor Cryptographic Device
  • Multi-Factor Cryptographic Software
  • Multi-Factor Cryptographic Device

AAL2: AAL2 provides high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.

At AAL2, authentication SHALL occur using either a multi-factor authenticator or a combination of two single-factor authenticators. A multi-factor authenticator requires two factors to execute a single authentication event, such as a cryptographically-secure device with an integrated biometric sensor that is required to activate the device.

When a multi-factor authenticator is used, the National Institute of Standards & Technology (NIST) suggests using any of the following:

  • Multi-Factor OTP Device
  • Multi-Factor Cryptographic Software
  • Multi-Factor Cryptographic Device

When a combination of two single-factor authenticators are used, it SHALL include a Memorised Secret authenticator and one possession-based (i.e., “something you have”) authenticator from the following list:

  • Look-Up Secret
  • Out-of-Band Device
  • Single-Factor OTP Device
  • Single-Factor Cryptographic Software
  • Single-Factor Cryptographic Device

NHS Identity would be supporting AAL2 Authentication using a combination of two single-factor authenticators that include a **Memorised Secret (i.e.,” something you know”) and a Single-Factor OTP Device (i.e., “something you have”).**

AAL3: AAL3 provides very high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication SHALL use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance; the same device MAY fulfil both these requirements. To authenticate at AAL3, claimants SHALL prove possession and control of two distinct authentication factors through secure authentication protocol(s). Approved cryptographic techniques are required.

NIST suggests that AAL3 authentication SHALL occur using one of a combination of authenticators:

  • Multi-Factor Cryptographic Device
  • Single-Factor Cryptographic Device used in conjunction with Memorised Secret
  • Multi-Factor OTP device (software or hardware) used in conjunction with a Single-Factor Cryptographic Device
  • Multi-Factor OTP device (hardware only) used in conjunction with a Single-Factor Cryptographic Software
  • Single-Factor OTP device (hardware only) used in conjunction with a Multi-Factor Cryptographic Software Authenticator
  • Single-Factor OTP device (hardware only) used in conjunction with a Single-Factor Cryptographic Software Authenticator and a Memorised Secret

NHS Identity would be supporting AAL3 Authentication using Apple Ipads from April 2019. This mechanism would meet the Multi-Factor Cryptographic Device guidelines.

The Privacy Notice to the Smartcard / Authorised Device users could be viewed here.

FIDO2 would be the next supported authentication mechanism which would be available by Q3 of 2019.

Authentication roadmap

As part of NHS Identity’s vision for offering the latest and the most advanced Authentication mechanisms, NHS Identity is exploring the following authentication types in our roadmap:

OpenID Connect Smartcard Authentication

This will allow client applications to authenticate via the NHS Digital Smartcard Identity Agent when using the OpenID Connect interface.

FIDO2 authentication

FIDO stands for Fast Identity Online. It is an authentication method designed to leverage and trust the local in-built capabilities (e.g. fingerprint readers, facial recognition etc) of devices to validate who the user is.

NHS Identity is introducing FIDO2 as an authentication choice which will introduce a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.

FIDO2 is comprised of the W3C’s Web Authentication specification (WebAuthn) and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP), which collectively will enable users to leverage common devices to easily authenticate to online services — in both mobile and desktop environments.

WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO2 Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.

Major web browsers including Chrome, Firefox and Microsoft Edge have implemented the standards; Android, Windows 10 and related Microsoft technologies also will have built-in support for FIDO2 Authentication.

Enterprises and online service providers looking to protect themselves and their customers from the risks associated with passwords - including phishing, man-in-the-middle and attacks using stolen credentials - can soon use standards-based strong authentication that works through the browser. Using FIDO2 Authentication enables online services to provide choice to users from an interoperable ecosystem of devices people use every day like mobile phones and security keys.

Last edited: 27 September 2019 1:44 pm