Multi Factor Authentication User guide

Multi Factor Authentication: Set up guide

This guide is to assist in the set up of Multi Factor Authentication (MFA) for all users of the clinical Inhealthcare Portal, Desktop Applications and Mobile Applications.

To begin using MFA:

  1. Navigate to the Inhealthcare Platform as you normally would.

  2. On your computer, click Log in to the clinical portal.
    login

  3. Enter your current Username and Password and click Login.
    login password

  4. The following screen will display if you have not yet used MFA:
    install-app
    Click the linked text Follow these instructions to download and install the Microsoft Authenticator app.open in new window to open installation instructions for the Microsoft Authenticator app. This will open in another tab on your browser.

    TIP

    In this guide we recommend the Microsoft Authenticator app, however other authenticators may be used.

    You should download this onto a mobile device that you will have access to whenever you need to log in.

    If using the Inhealthcare Professional app, the above screens follow the above steps to start your login the same way:
    app-mfa-screens1
    When using a smartphone, make sure to copy the Secret key to save time later.

  5. Open the App Store for iPhone or go to Google Play for Android™, search for and download the Microsoft Authenticator app.
    auth-app
    Use the instructions from the link above to help you do so.

Apple, the Apple logo, iPhone and iPad are trademarks of Apple Inc., registered in the U.S. and other countries and regions. App Store is a service mark of Apple Inc.
Android, Google Play and the Google Play logo are trademarks of Google LLC.

  1. Once the app is downloaded, on your mobile app, use the option to add an account to your authenticator app. If given an option to add as a specific account type, choose Other (Google, Facebook, etc.).
    account-type

  2. Scan the QR code on your Inhealthcare browser screen using your authenticator app.
    scan qr

    TIP

    If the camera is not working on your mobile, or you are using your phone to set up MFA via the Inhealthcare Professional app, click Or enter code manually to enter/paste the Secret key manually. The account name entered here should be something logical to do with the environment you are setting up on your MFA, e.g. Inhealthcare Sandpit or Inhealthcare Live.
    enter secret key

    This option to enter the secret key is only available if you are adding the account type as Other (Google, Facebook, etc.).

  3. The new account will automatically appear on your authenticator app, where a new 6 digit code will be generated every 30 seconds.

  4. In the box titled Please enter the 6 digit verification code from your authenticator app enter the 6 digit code shown on the app (before it creates a new one) and click Verify code and activate.
    varify-active

    Inhealthcare Professional App users:

    Users will need to enter their password as normal on their IHC app, then switch to open their authenticator app, remember the 6 digit code, and finally switch back and type it into the code field.
    app-mfa-switch

    Incorrect codes

    If anything other than digits are entered into the code field, a warning will display and prompt you to enter a correct code.
    not-valid

    If an incorrect 6 digit code is entered, you will be returned to the login screen to enter your username and password again.
    incorrect-code

  5. You will then see confirmation that your authenticator app has been linked to your IHC login. You will also be given a set of 16 recovery codes that can be used to log in should you not have access to your authenticator app. Make sure you keep these codes safe before clicking Continue; they will not be displayed again.
    auth-code-back-up

    WARNING

    These codes shown should only be used on rare occasions when your authenticator app is unavailable.

    Save these codes somewhere secure (i.e. not on either device that is used for MFA or for logging into the Inhealthcare platform). The clipboard icon in the top right of the box where the codes are shown will copy them to your computer's clipboard.
    clipboard

    Once a code from this list has been used it cannot be used again.

  6. Click Continue to return to the log in screen. A confirmation message will display to confirm that multi-factor authentication has been activated.
    confirmation

    TIP

    You will only see this confirmation message after setting up your Multi Factor Authentication for the first time.

  7. On all future log ins to the Inhealthcare platform you will be asked to enter your Username and Password as normal, before clicking Login.

  8. Then, you will be asked to enter a 6-digit verification code from your authenticator app.
    enter code
    Once you enter your code and click Verify you will then be logged into the platform.

    TIP

    There is a Use a recovery code link which will allow you will be given the possibility of using one of your recovery codes. You should only use these if you don’t have your device. They should not be used on every login.

    If an incorrect recovery code is entered, you will be taken back to the login screen, or prompted to try again.

FAQs

How will users generate an MFA token?

We recommend the Microsoft Authenticator App as users should already be familiar with it if they use NHS Mail, or MS 365. This should be installed on a mobile device which will be available for every future login.

The first time a user logs in after the MFA is introduced, they can follow the above instructions on installing the authenticator app and how to use it to log in.

I set up MFA for my portal account, do I need one for my Inhealthcare Professional app?

If your MFA has already been set using a computer, you do not need to repeat the steps to log into your smartphone app.

Simply use the authenticator app you configured to take the 6-digit MFA code and type this into the app when prompted while logging in.

Will patients require MFA?

No, MFA will only be required when logging into clinical apps such as:

  • IHDA-SA (Inhealthcare Desktop Service Agent)
  • IHDA-GP (Inhealthcare Desktop Application)
  • IHMA (Inhealthcare Professional app)
  • Reporting dashboard
  • Portal
  • Organisation data
  • The Toolkit
Will Sandpit also require MFA?

At the moment all platform access will require MFA. However, we are currently working with NHS England to check if an exception can be made for non-live environments. Please note that the account created in the authenticator app will clearly show which environment it is for.

All users with the Organisation Admin role will require MFA, even in the sandpit environment.

A separate MFA will be needed for using Live and Sandpit (testing) environments. Your account on the MFA app will display which environment each code shown is for.

I'm having trouble adding two IHC accounts to my authenticator app, what do I do?

If you have more than one login, e.g. one for each environment (sandpit, live, etc.), but they use the same email address as the Username some iPhone users have experienced the second account added overwriting the first one.

This is not an Inhealthcare issue, but a known issue with Microsoft Authenticatoropen in new window.

The workaround is to add the second account manually, using the secret key (i.e. not via the QR code), or to use an alternative authenticator app instead.

What happens if I need to reset the password for my login?

This will not affect your MFA account. Use the Forgot password link and follow the usual process for resetting your password.

My recovery codes no longer work, what do I do?

Recovery codes (shown in step 11 above) should only be used if your mobile MFA app is unavailable. Each code can only be used once therefore, once all codes are used, they will no longer work.

The only way to reset the recovery codes is for your Organisation Administrator to manage your user login and selecting Reset MFA enrolment. This will require you to follow the instructions above to re-install the authenticator app.

If re-setting the app on the same mobile device, you may be required to remove your Inhealthcare account before it can be re-added/re-set.

Only one authenticator app/device can be associated with each login at one time.

What do I do if I can no longer access my authenticator app?

If your mobile device is lost/broken/stolen and you can no longer access the authenticator app you installed, your Organisation Administrator will need to manage your user login and select Reset MFA enrolment.

This will allow you to download and install the authenticator app to a new mobile device, following the steps above.

Only one authenticator app/device can be associated with each login at one time.

How will MFA impact Contextual launch?

If your service uses contextual launch from the GP system to open Inhealthcare with the correct patient already loaded, this will still work but will no longer auto-login to the IHC platform. MFA will still be required.

How will MFA impact Inhealthcare Desktop Service Agent Users?

Will a new authentication be needed each time a record is pushed through to the GP system?

An IHDA-SA user will only need to use MFA when they register the IHDA-SA. MFA won't be required again until the session has expired and the IHDA-SA requires re-registering.

All functions used within the IHDA will remain the same.

If my login is deleted from the platform, what happens to my MFA account?

If your user is deleted by an Organisation Administrator, you will no longer be able to access the platform. However, the account will still appear in your authenticator app, but the generated codes will be redundant as your user has been deleted. You can safely delete the entry from your authenticator app.

If you require a new log in, this will be under a new username and therefore require MFA to be set up again for the new user.

If you require a new login, this will be under a new user name and require a new MFA account to be added to your MFA app.

Do I need different MFA accounts on my app for the different platform logins?

If you are using the same username and password to log into the IHDA, clinical portal, and/or the Inhealthcare professional app, you will not need to set up multiple MFA accounts on your authenticator app.

If you belong to multiple organisations which require different username and passwords to log in, you will need one MFA account for each login on your authenticator app.

Is there a way to use NHS smart cards as the the second form of identification?

We are aware that many users already have NHS smart cards, however they are not currently going to be used as a second layer of authentication.

That doesn't mean Inhealthcare won't look to utilise them instead of MFA in the future.

Last Updated:
Contributors: Kat Whittingham
© Copyright Inhealthcare 2024