Alternative 2 factor authentication

Thanks Rob. We're building 2FA configuration into the care portal.

This will allow users to scan a QR code with their chosen 2FA application (google authenticator, Microsoft authenticator etc). This is being worked on over the next couple of weeks and will be released when ready.

I believe a SSO solution would work better as suggested as an alternative option below. The majority of NHS trusts and LA's use Microsoft, so using their account for a SSO would assist uptake of use of the system. It will also mitigate potential significant costs introduced by suppliers to develop/implement a contextual launch, which I agree is the best option but the costs would outweigh the benefits.

Hi Keith,

We have undertaken some investigatory work recently to understand what's required to implement Google Authenticator as a 2FA solution.

The implementation of this would solve your need to have an authentication solution that is not dependent on text message, but it does not look like it is your preferred solution.

I have created a new investigation task to look into the possibility of introducing Microsoft authenticator alongside Google authenticator. When the investigation is complete, I will feedback the outcome.

Would Microsoft Authenticator provide an easier access tool/model with it's use in nhs mail?

There is an option for us to explore the use of Google Authenticator app, this means staff would not have to provide their mobile phone numbers but would instead have to install the app and use their phone in order to receive the OPT

We would like feedback on whether this represents a feasible alternative based on where else phone use is a problem. Our preference would be to move more tenancies towards contextual launch wherever possible

Hi Keith, no, context launch does not require 2 factor authentication, so there is no SMS message

thanks for the offer, I'll come back to you separately on this

Ian, my understanding was that even with the current context launch the initial login needed to be authenticated by SMS. I might be wrong as it's a while ago since I needed to do it.

I'm more than happy to beta test anything if that helps.

Hi All, we have spoken about this internally and also directly with Google.

1. Using email instead of SMS is not an option

2. Google Authenticator app could be an option - but this would also require a phone, which is likely to rule it out

3. A further option could be a 3rd party Chrome extension - Authenticator - which would send a code to the browser - Google maintain that this is only for Chrome and not Edge, which may also rule it out

This is not good news, but it's worth stating that the standalone method of accessing the portal is our least preferred consumption method. The user experience is significantly enhanced with a contextual launch method, which removes the friction of separate username and password, MFA, and having to search for the person, as well as user administration. We have contextual launch in SystmOne, Liquid Logic, and are working with other vendors such as Lorenzo, BadgerNet and EMIS to achieve same.

We appreciate this will not always be possible, so we are also keen to work with customers to achieve a SSO (single sign-on) mechanism, i.e. use Active Directory to authenticate to the portal - this will remove the login and MFA obstacles, and just require the user to search for the person.

Do this sound like a viable option, and are there organisations on here willing to be involved in beta testing?

thanks

Hi, also from LLR. I agree with my colleagues - the vast majority of our staff do not have a mobile phone for work and i don't think it's reasonable to ask them to provide personal mobile numbers; and some do not even have personal mobiles. So an alternative method of authentication does need to be looked at.

Hi from LLR. I also agree that it is not appropriate for staff to use personal phones and can't be assumed that all staff would have a mobile phone. Is the suggestion of email possible?

This also applies to the use of the Console.

It is unreasonable to ask junior staff members to ask them to use their personal devices for business matters. It is also unreasonable for staff to register their personal details for business matters. We don't want this to be barrier and an obstacle to a brilliant business system that is essential. So it would be really helpful to remove any barriers please.

Hi from LLRCR. We've been asked to raise this by one of the Councils about to pilot. Their staff do not have work phones and are very reluctant to use personal phones. They suggest receiving code by email instead.

We have only gone to one practice in the pilot phase. The practice manager would only give us the numbers for work phones of which there were three.

I'll speak to the other four pilot practices in January when we broaden the pilot.