Security keys
Information about NHS CIS2 authentication security keys.
Security keys are typically small physical devices that connect to devices via a USB port or NFC.
They are a simpler alternative to smartcards that require no installation of software or certificate renewal and are small and convenient enough to be attached to a set of keys or a lanyard.
See a list of supported keys.
Convenient
- Users can share desktops/laptops and authenticate with their own individual security key
- No need for a smartcard or reader
- Enables secure authentication to national clinical information systems over the internet
Choosing security keys
Users tend to find authenticating with security keys works well when they:
- access multiple machines
- are quite mobile, working in different buildings/offices
Live environment security keys
CIS2 Authentication allows security keys to be used if they meet FIDO2 Certificate Level 2.
To see which security keys meet FIDO2 Certificate Level 2, go to the FIDO Certified Products page (opens in a new window) and use these filter options:
- Specification: FIDO2
- Company: leave blank
- Type: Authenticator
- Authenticator Level: Level 2
- Product Name: leave blank
Reliable
NHS CIS2 Authentication is a platinum service, supported 24 hours a day, 7 days a week.
See our latest availability statistics.
Case study
Dentists in London accessing e-RS
The organisation and service
NHS North East London ICB wanted their dentists to be able to refer patients for treatments using e-RS without the restriction of having to use a desktop connected to a HSCN
Moving to NHS CIS2 Authentication
Yubikey 5 security keys were procured by local IT and provided to the users.
To start using NHS CIS2 Authentication, the dentists needed to meet with their RA who helped them to register the security key to the user's Care Identity profile.
The experience
The dentists in London found the registration process to be very quick and simple.
They can now refer patients using e-RS over the internet using their security key to authenticate.
Considerations for organisations providing IT Support
- No additional software is needed as it uses open standards - just procure, register and use
- No certificate renewals required
Procurement
The procurement and distribution of security keys is the responsibility of the Trust, organisation or user.
Only Security Keys that meet NHS England cyber security standards are acceptable for use with NHS CIS2 Authentication (see above).
Registering devices to users
Each user must:
- have their own security key
- register their security key to their Care Identity profile, supported by a Registration Authority (RA).
Network configuration
NHS CIS2 Authentication is primarily an Internet Only service, therefore, some configuration may be required to enable access:
- out to NHS CIS2 Authentication
- in from NHS CIS2 Authentication
Out to NHS CIS2 Authentication
Both end users and applications need to be allowed to send requests out to https://am.nhsidentity.spineservices.nhs.uk/.
This domain is on randomly allocated IP address and is subject to change.
In from NHS CIS2 Authentication
Whenever the user's NHS CIS2 Authentication session is destroyed (e.g. on expiration), NHS CIS2 Authentication can send Back-Channel Logout requests to the application.
These requests come from a small number of fixed IP ranges.
The application, therefore, may require that its hosting network allows requests from NHS CIS2 Authentication to be routed through firewalls to the application.
If the application is installed within trust networks, it is recommended that these are isolated on web servers and not directly exposed on critical internal servers.
Support
You can get support by going to the NHS Digital Customer Portal or emailing [email protected].
Our vision is evolving as we learn
There are lots of features we are working on and considering for the future.
We'd love to hear what you think.
To suggest, comment or vote on these features, visit our feedback portal or contact us by emailing [email protected].
Last edited: 15 December 2023 9:27 am