Multi-Factor Authentication App Installation Guide

Microsoft Authenticator App Installation

For iOS (iPhone) or Android Devices:

  1. Open the App Store or Google Play Store

    • iOS: Open the App Store
    • Android: Open the Google Play Store

  2. Search for the App

    • In the search bar, type: Microsoft Authenticator

    auth-app

    Apple, the Apple logo, iPhone and iPad are trademarks of Apple Inc., registered in the U.S. and other countries and regions. App Store is a service mark of Apple Inc. Android, Google Play and the Google Play logo are trademarks of Google LLC.

  3. Download and Install

    • Tap the Install or Get button
    • Wait for the app to download and install on your device

  4. Open the App

    • Once installed, tap Open to launch Microsoft Authenticator

TIP

To install the authenticator app using a QR code, click the following link authentcatior app this will open in a new tab on your browser.

Setting Up the Microsoft Authenticator App

1. Log In to Your Account

  • Open the Sandpit or Live environments login page
  • Enter your username and password
  • Click Login

login

2. Pause at the QR Code Screen

  • After logging in, a screen will appear displaying a QR code
  • Do not proceed yet, you will need to scan this code using the Authenticator app shortly

install-app

3. Open the Microsoft Authenticator App

  • Launch the app on your mobile device
  • Tap the plus sign (+) in the top-right corner to add a new account

4. Choose Account Type

  • Select Other (Google, Facebook, etc.)
  • If prompted, allow camera access on your device

account-type

5. Scan the QR Code

  • The app will open a camera view
  • Point your device at the QR code on your computer screen
  • The account will be added instantly to your Authenticator app

scan qr

6. Verify the Setup

  • A 6-digit code will appear in the app
  • Enter this code into the box on your computer screen
  • Click Verify Code and Activate

varify-active

TIP

A new 6-digit code displays in the app every 30 seconds.

Inhealthcare Professional App

Log into the Inhealthcare professional app as usual. Switch to the authentication app to view the six-digit code, then return to the Inhealthcare professional app to enter the code. app-mfa-switch

7. Save Your Recovery Codes

  • A screen will display your recovery codes
  • Copy or securely save these codes in case you lose access to your device
  • Click Continue

auth-code-back-up

TIP

These recovery codes are intended for emergency use only, such as when your authenticator app is unavailable and can be used once per code. Click the clipboard icon in the top-right corner of the code box to copy the recovery codes to your computer’s clipboard. Alternatively, you can manually copy and paste the codes into a secure location for safekeeping.

clipboard

8. Final Login Confirmation

  • You will be returned to the login screen
  • Enter your username and password again
  • Open the Authenticator app and enter the new 6-digit code
  • Click Verify

confirmation

You are now securely logged into the environment with MFA enabled.

FAQs

How will users generate an MFA token?

We recommend the Microsoft Authenticator App as users should already be familiar with it if they use NHS Mail, or MS 365. This should be installed on a mobile device which will be available for every future login.

The first time a user logs in after the MFA is introduced, they can follow the above instructions on installing the authenticator app and how to use it to log in.

I set up MFA for my portal account, do I need one for my Inhealthcare Professional app?

If your MFA has already been set using a computer, you do not need to repeat the steps to log into your smartphone app.

Simply use the authenticator app you configured to take the 6-digit MFA code and type this into the app when prompted while logging in.

Will patients require MFA?

No, MFA will only be required when logging into clinical apps such as:

  • IHDA-SA (Inhealthcare Desktop Service Agent)
  • IHDA-GP (Inhealthcare Desktop Application)
  • IHMA (Inhealthcare Professional app)
  • Reporting dashboard
  • Portal
  • Organisation data
  • The Toolkit
Will Sandpit also require MFA?

At the moment all platform access will require MFA. However, we are currently working with NHS England to check if an exception can be made for non-live environments. Please note that the account created in the authenticator app will clearly show which environment it is for.

All users with the Organisation Admin role will require MFA, even in the sandpit environment.

A separate MFA will be needed for using Live and Sandpit (testing) environments. Your account on the MFA app will display which environment each code shown is for.

I'm having trouble adding two IHC accounts to my authenticator app, what do I do?

If you have more than one login, e.g. one for each environment (sandpit, live, etc.), but they use the same email address as the Username some iPhone users have experienced the second account added overwriting the first one.

This is not an Inhealthcare issue, but a known issue with Microsoft Authenticator.

The workaround is to add the second account manually, using the secret key (i.e. not via the QR code), or to use an alternative authenticator app instead.

What happens if I need to reset the password for my login?

This will not affect your MFA account. Use the Forgot password link and follow the usual process for resetting your password.

My recovery codes no longer work, what do I do?

Recovery codes (shown in step 11 above) should only be used if your mobile MFA app is unavailable. Each code can only be used once therefore, once all codes are used, they will no longer work.

The only way to reset the recovery codes is for your Organisation Administrator to manage your user login and selecting Reset MFA enrolment. This will require you to follow the instructions above to re-install the authenticator app.

If re-setting the app on the same mobile device, you may be required to remove your Inhealthcare account before it can be re-added/re-set.

Only one authenticator app/device can be associated with each login at one time.

What do I do if I can no longer access my authenticator app?

If your mobile device is lost/broken/stolen and you can no longer access the authenticator app you installed, your Organisation Administrator will need to manage your user login and select Reset MFA enrolment.

This will allow you to download and install the authenticator app to a new mobile device, following the steps above.

Only one authenticator app/device can be associated with each login at one time.

How will MFA impact Contextual launch?

If your service uses contextual launch from the GP system to open Inhealthcare with the correct patient already loaded, this will still work but will no longer auto-login to the IHC platform. MFA will still be required.

I have a new mobile phone or I am unable to access the authentication app I used preivously

If you have a new mobile phone or are unable to access the authentication app on your old device, install the app on your new phone. Refer to the user guide below for installation instructions.

Microsoft Authenticator app.

If you need quick access to your account, use the recovery codes. Each code is valid for one use. For long-term access, we recommend installing the app on your new device.

How will MFA impact Inhealthcare Desktop Service Agent Users?

Will a new authentication be needed each time a record is pushed through to the GP system?

An IHDA-SA user will only need to use MFA when they register the IHDA-SA. MFA won't be required again until the session has expired and the IHDA-SA requires re-registering.

All functions used within the IHDA will remain the same.

If my login is deleted from the platform, what happens to my MFA account?

If your user is deleted by an Organisation Administrator, you will no longer be able to access the platform. However, the account will still appear in your authenticator app, but the generated codes will be redundant as your user has been deleted. You can safely delete the entry from your authenticator app.

If you require a new log in, this will be under a new username and therefore require MFA to be set up again for the new user.

If you require a new login, this will be under a new user name and require a new MFA account to be added to your MFA app.

Do I need different MFA accounts on my app for the different platform logins?

If you are using the same username and password to log into the IHDA, clinical portal, and/or the Inhealthcare professional app, you will not need to set up multiple MFA accounts on your authenticator app.

If you belong to multiple organisations which require different username and passwords to log in, you will need one MFA account for each login on your authenticator app.

Is there a way to use NHS smart cards as the the second form of identification?

We are aware that many users already have NHS smart cards, however they are not currently going to be used as a second layer of authentication.

That doesn't mean Inhealthcare won't look to utilise them instead of MFA in the future.

Last Updated:
Contributors: Kat Whittingham, Shanice Mitchell, shanice.mitchell