This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more, please read our privacy policy.

MFA Frequently Asked Questions (FAQs)

Here you will find a selection of frequently asked questions (FAQs) about Multi-factor authentication (MFA). These FAQs are regularly updated so please keep checking this page for the latest updates. If you have a question you'd like to raise or you are experiencing a problem using MFA please get in touch.

Multi-factor authentication, or MFA, is an additional way of checking that it is really you when you log in to your account. In addition to your email address and password, you will need to set up a second form of authentication.

The recommended approach is to use the Microsoft Authenticator app on your mobile device.

This second layer of security is designed to prevent anyone but you from accessing your account, even if they know your password.

The introduction of MFA will help meet industry and cyber security best practice, helping to protect NHS data, user personal data and patient data.

MFA is quick and easy for most people to set up. Should you experience any problems, help and support is available.

You will only be asked for MFA if your identity needs to be further verified for additional security reasons. An example could be when signing in to your Microsoft account from a personal computer or personal mobile device, which is not on the NHS network.

If you are using a personal computer, mobile device or NHS Apple device, MFA verification is required every eight hours. If you are prompted for MFA using an NHS device, please contact the IT Service Desk.

MFA can block over 99.9 percent of account compromise attacks (Source: Microsoft). Therefore, it is a highly effective way of keeping your IT account and data secure from cyber crime groups.

Cyber crime groups can access your Microsoft 365 account if they guess your password correctly or trick you into sharing your details through scam emails, text messages or phone calls - known as ‘phishing’.

To protect your account, please set up Multi-Factor Authentication (MFA), which can block over 99.9 percent of account compromise attacks.


You need an Internet connection to receive a push notification on the Microsoft Authenticator app but not to access a one-time passcode.

The Microsoft Authenticator app does not collect or store any personally identifiable data. Your personal mobile device details are not used for any purpose other than protecting your account.

Multi-factor authentication (MFA) is a mandatory security policy that all staff must comply with.


If you have a new telephone number or need to update your verification method, please follow the steps below:

  1. Sign into the Microsoft 365 portal (

  2. Select your profile picture in the top right, then select View account.

  3. Under Security info select Update info.

If you are not able to authenticate because you no longer have access to the phone or app you previously used to verify your identity, please contact your IT Service Desk from the 'Self Service' icon on your device home screen.