Issue or remove a security key in Care Identity Management

How to use Care Identity Management to issue a security key as an authenticator, as an alternative to a smartcard, or remove a security key from a user's profile.

Which roles can do this?

Registration Authority Manager
Registration Authority Agent (Advanced)

Before you start

For the Registration Authority

You will need to set up a registration meeting with your user, either via video or face-to-face. Registration must be completed in your presence.

For the user

the user should have a security key that is supported by NHS CIS2
the user must bring their computer and security key with them to the meeting
the user must have a working internet connection
view the Warrantied Environment Specification to check browser compatibility

Face-to-face process

From the Care Identity Management home page, choose 'Find an existing user'.

CIM home page find an existing user highlighted

Enter the user's details and select 'Search'.

Care Identity Management find an existing user

Choose 'View profile' on the right of the screen.

Care Identity Management user found

Go to the Authenticators tab on the user's profile page and select Issue other authenticator.

Shows a list of authenticators, with a button highlighted to Issue other authenticator

Select Security key and continue

CIM select other authenticator security key highlighted

You will now see a screen with instructions how to register the device.

When you've read the instructions and are both ready to proceed, select Generate link.

Shows instructions for registering a security key, with a highlighted button to Generate link

Copy the link and send it to the user by email, or paste it into the chat function of the video call software you are using.

Shows a registration link and a highlighted button to Copy link

The user should copy the link.

They will be prompted to choose how they want to create a passkey. They should select the option 'External security key or built-in sensor'.

Shows a screen inviting the user to create a passkey, with External security key option selected

The user will be prompted to continue their key setup.

Shows security key setup page with the option to select OK

Shows continue security key setup page with the option to select OK

The user will be asked to either tap their security key or insert into the USB port.

Shows instructions to tap the security key or insert into reader

The user will be asked to create a PIN.

Shows form fields for creating and confirming a PIN

Once the user has created a PIN they will be instructed to touch their security key.

Touch your security key

A confirmation message will be displayed advising the PIN has been created and requesting the user to touch their security key again.

To confirm that the registration process is complete, the user will see a Registration successful confirmation page.

The user can now close the page.

The user profile page will now show that the user's device has been registered to the user.

Shows that a security key has been added to the list of authenticators on the user profile, and has a status of active

Test the security key registration has been successful

To test and demonstrate that the Security Key registration has been successful, ask the user to authenticate using their security key.

Remove a security key

From the user's profile, select the 'Authenticators' tab, find the security key in the list and select 'Remove' on the right.

CIM authenticators security key remove link

Select the box to confirm you want to remove the security key, followed by the 'Remove authenticator' button.

CIM remove security key

Finally you'll see a message confirming that the security key has been removed from the user's profile.

CIM security key removed successfully

Last edited: 24 April 2025 2:33 pm