Skip to main content
How NHS login works

Find out how NHS login handles authentication, account management and verification of a user’s identity.

Creating an NHS login

When a user creates an NHS login they will be asked to:

  • give their email address
  • choose a password
  • accept the NHS login terms and conditions

An email will be sent to the user with an email verification link. They must click this link to verify their email address before they can continue. The user is then asked to give their mobile phone number. A 6-digit security code will be sent to their mobile phone as part of the two-factor authentication process.


Levels of authentication and verification

You can request the level of verification and authentication required for your service. You must decide what combination is needed to allow access to your website or app. This choice is implemented technically using a concept known as vectors of trust.


Scopes and claims

User information is requested by you in the form of a Scope. Requested information is made available as Claim values when making an authentication request. Some of the scopes that you request are dependent on the vectors of trust.

See more information on scopes and claims.


Authentication

We currently support 3 types of authentication.

Email address and password

The user is asked to provide their email address and a password. A One Time Password (OTP) will be sent by text message to the phone number registered to the user’s NHS login. They must enter this security code to log in. 

Registered device

The user is in possession of a device that has been associated with their NHS login. The association can be made with a One Time Password (OTP) text message, or a remembered browser. This allows users to log in without the need to enter a security code.

Asymmetric cryptographic key within a registered device

The user is in possession of a device that has been associated with their NHS login. The delivery or use of the device is by cryptographic proof of key possession using asymmetric key, like a FIDO-compliant device. This allows app users to authenticate with biometric data, such as fingerprint or facial recognition.


Verification

We currently offer 3 levels of user identity verification.

Low level verification

The user has verified ownership of an email address and mobile phone number. They have not proven who they are or provided any other personal details.

Medium level verification

The user has provided some additional information, which has been checked to correspond to a record on the NHS Personal Demographics Service (PDS).

This information may include:

  • date of birth
  • NHS number
  • name
  • postcode

Medium level verification can allow users to do things like contact their GP or receive notifications. It does not provide access to health records or personal information.

High level verification

The user must prove who they are in order to gain access to health records or personal information. To be verified to the highest level, a user must have completed an online or offline identity verification process, where physical comparison between photo I.D. and the user has been made.

There are two options to do this. Users can submit a photo of their I.D. and a short recording of their face. If that is not possible, they can use the registration details from their GP surgery’s online services. This is because a physical comparison between photo I.D. and the user will have been made by their GP surgery.


Proof of identity

Photo I.D. and video

Accepted types of photo I.D. include:

  • Passport
  • UK driving licence
  • European driving licence
  • European national identity card

Once submitted, our I.D. checking team will try to verify the user’s identity.

This is done by:

  • checking the I.D. is valid
  • checking the user in the video matches the person on the photo I.D.
  • running a search to find a match on the NHS Personal Demographics Service (PDS)
  • connecting their NHS number to their NHS login

Our I.D. checking team are trained to UK government Home Office standards.

Registration details from GP surgery’s online services

Users that have signed up to their GP surgery's online services will have been given 3 registration details.

These registration details include:

  • Linkage Key (could be called a Passphrase)
  • O.D.S. Code (could be called an Organisation Code or Practice I.D.)
  • Account I.D.

These details can be checked against the GP system to verify the user’s identity. During this process, an NHS number will be matched to the user and their NHS login.


Linkage keys

NHS login can look up or create a linkage key for users that prove who they are with photo I.D. and a video submission. This is a benefit to your service if it uses the to access patient facing services. It means users do not need to visit their GP for a  linkage key to access these services.

This feature is intended for use in conjunction with NHS login user authentication, and cannot be used as a one-time linkage key retrieval tool.


Checking the NHS Personal Demographics Service (PDS)

NHS login is designed to be used repeatedly and offers more value than a one-off identity verification tool. It does not replace or provide an alternative to PDS.

Each time a user logs in, a PDS check is carried out to ensure their registered GP surgery’s O.D.S. code is up to date within NHS login. This should be helpful if, for example, a user changes GP surgery. The check also makes sure other information is up to date, like GP surgery linkage keys. It also blocks access to any NHS login accounts belonging to users marked as deceased in PDS.

Until a user logs in and these checks are done, information returned by NHS login may not represent the most current information held in PDS or the GP clinical system. Users will need to use NHS login on a repeat basis for the PDS checks to be effective.


Contact information

Contact information held in NHS login, like email addresses and mobile phone numbers, is not currently linked to contact information in PDS or GP clinical systems. This is so users can choose any email address and mobile phone number to secure access to their NHS login. The same mobile phone number can also be used on more than one NHS login.

We are currently working on a feature that will allow users to update their contact information in PDS via NHS login.

Last edited: 15 July 2021 10:15 am