Skip to main content

Passkeys

Information about using NHS CIS2 Authentication with passkeys, which require fewer steps to log in for compatible devices than other authenticators.

Page contents

What is a passkey?

Passkeys are a technology that allows authentication without passwords.

It works by using biometrics or the device's screen lock passcode. Most users simply tap with their fingerprint or look at their device’s camera to authenticate.

As an option for CIS2 authentication, passkeys enable health and care professionals to log in with fewer steps and can reduce context-switching.

Do passkeys replace passwords?

Yes, according to Apple, Google and Microsoft, passkeys are designed to replace passwords. Passkeys are thought to be an evolution of passwords.

Instead of remembering or recording increasingly complex passwords, passkeys enable users to authenticate with their device’s biometrics or screen lock.

How does authentication with passkeys work?

Instead of sending a password over the internet, your device generates 2 keys:

  • a private key, stored securely on your device 
  • a public key, registered with the website or application 

When you want to sign in to a website or application, your device has to prove that it has the private key. After you unlock your private key, your device digitally signs a challenge from the website or application. The website or application verifies the signature using the public key and grants you access. 

Are passkeys considered multi-factor authentication (MFA)?

Yes, passkeys are considered a form of multi-factor authentication. When you use a passkey, you must use a device that stores the passkey (something you have) and unlock it with biographic information or a PIN (something you are or something you know). 

Are passkeys secure?

Passkeys are often described as more secure and resistant to scamming, such as phishing.

When they are created, passkeys are associated with the specific domain of that website or app. A passkey created for  am.nhsidentity.spineservices.nhs.uk can only be used with am.nhsidentity.spineservices.nhs.uk. 

Phishing is when a user is tricked into providing sensitive information (such as their password) through malicious websites, misleading texts and social engineering. Malicious websites pretend to be other familiar sites, but can have a slightly different domain. 

When the user is tricked into landing on a fake website, the device will not allow authentication as the passkey has been broken. 

Can I use passkeys across multiple devices?

Yes, but this will depend on where the passkey has been stored. This is often called cross-device authentication. 

To link your devices together for cross-device authentication, you must scan a QR code that's generated on the device where you want to sign in. During this process, a proximity check takes place to ensure that the passkey is only being used for authentication on a link device that's nearby. 

This means you can be assured that your passkey cannot be used by a remote attacker to gain access from far away.

Passkeys are currently enabled for NCRS, eRS, MESH and CSMS

Passkeys are currently being used to access national services by organisations across health and care settings.

Passkeys are available now for all organisations to use. If you would like further information please contact the NHS England Identity and Access Management team at [email protected]

Benefits
  • A strong authenticator that's more resistant to scamming
  • Simple and convenient steps to log in
  • No need to buy new technology - passkeys work on a user's smartphone
  • Provides NHS organisations with options to promote use of an authenticator across Apple and Google devices, opening options on different operating systems

Help for IT teams

Guidance by operating system

Using passkeys with CIS2 Authentication can look different based on operating system.

With any of the operating systems below, if the device is managed by your estate, you'll need the ability to use passkeys enabled in your mobile device management. This may be as simple as allowing Windows Hello as an authentication method, or enabling iCloud Keychain to be used on Apple devices.

Windows 

To use passkeys on Windows devices, you will need at minimum Windows 10 or Windows 11.

Both versions allow the use of Windows Hello as a sign-in method. In our current implementation, using passkeys for Windows leverages Windows Hello. 

Apple

To use passkeys on Apple devices, you will need at minimum: 

  • iOS 16 
  • iPadOS 16 
  • macOS Ventura

Read more about using passkeys to sign in to websites and apps on iPhone.

Google  

To use passkeys on Google devices, you will need at minimum Android 14.

Procurement

Using passkeys with CIS2 Authentication only requires that the device used is compliant.

NHS organisations looking to use passkeys for all staff members should consider:  

  • the device mix present in their estate  
  • whether they have a BYOD policy

The current passkey offering is a synced passkey, which will rely on iCloud Keychain or Google Passwords for iOS and Android devices.  

Support

You can get support by going to the NHS Digital Customer Portal or emailing [email protected]

Contact us

There are lots of features we are working on and considering for the future. We'd love to hear what you think. 

To suggest new features or improvements, contact us by emailing [email protected]

To give us feedback on your experience with passkeys, please take our short survey.

Last edited: 5 June 2025 2:38 pm