You need to request the level of verification and authentication required for your service. You must decide what combination is needed to allow access to your website or app. This combination of required authentication and verification is known as a vector of trust.
Level of authentication
We currently support 3 types of authentication.
Email address and password
(also known as Cp on the Developer documentation site; a 'Low' level in DCB3051 Appendix D p23)
The user is asked to provide their email address and a password.
(also known as Cd on the Developer documentation site; a 'Low' level in DCB3051 Appendix D p23)
The user is in possession of a device that has been associated with their NHS login. The association can be made with a One Time Password (OTP) text message, or a remembered browser. This allows users to log in without the need to enter a security code.
(also known as Cm on the Developer documentation site; a 'High' level in DCB3051 Appendix D p23)
The user is in possession of a device that has been associated with their NHS login. The delivery or use of the device is by cryptographic proof of key possession using asymmetric key, like a FIDO-compliant device. This allows app users to authenticate with biometric data, such as fingerprint or facial recognition.
Authentication types can be combined to create a high level of authentication. For example Cp and Cd on their own are a low level of authentication and when combined in a transaction are a high level of authentication.
A high level of authentication can also be referred to as 2-factor authentication (2FA) or Multi-factor authentication (MFA).
Level of verification
We currently offer 3 levels of user identity verification.
DCB3051 refers to 4 levels of verification and includes 'none'. NHS login does not have a concept (or level) of 'none'.
Low level verification (P0)
The user has verified ownership of an email address and mobile phone number. They have not proven who they are or provided any other personal details.
Medium level verification (P5)
The user has provided some additional information, which has been checked to correspond to a record on the NHS Personal Demographics Service (PDS).
This information may include:
- date of birth
- NHS number
Medium level verification can allow users to do things like contact their GP or receive notifications. It does not provide access to health records or personal information.
High level verification (P9)
The user must prove who they are in order to gain access to health records or personal information. To be verified to the highest level, a user must have completed an online or offline identity verification process, where physical comparison between photo ID and the user has been made.
To do this, a user has 4 options:
The first three options are known as 'Prove your Identity online' (PYI) and using your GP surgery online services is known 'Patient On Line' (POL).