Immediate Action Required: Your Directory of Services (DoS) login details need to be changed to Care Identity
The Directory of Services (DoS) are changing the way users authenticate their identity. DoS Users will no longer login via the current login method (username and password) and will instead be using NHS CIS2 Authentication as the authentication service for using DoS.
Why NHS CIS2 authentication is being implemented
- Allows log in with a variety of additional authentication methods
- Single login across multiple systems
- No need to remember different logins and passwords
When NHS CIS2 authentication is being implemented in DoS
NHS CIS2 Authentication is expected to be implemented by March 2025.
The Implementation is planned in two phases:
Phase I: User preparation and readiness
DoS users must take steps to be ready when multi-factor authentication (MFA) rolls out. Details are provided on this webpage below.
Phase II: Implementation and roll-out
There will be changes to the DoS login pages and users will be guided to the steps they have to take for a transition into CIS2 Authentication service.
Guidance on this phase will be provided to all users prior to the implementation and roll out.
What this means for you
If you log into DoS via an individual username
...and you have an active NHS CIS2 Authentication account:
- ensure that the email associated with your DoS account and your NHS CIS2 account are up to date
- for further guidance see Updating your email address
...and you have an NHS CIS2 Authentication account but it is not active:
- you will need to contact your local registration authority agent who will be able to take you through the necessary steps to reactivate your CI
- see also - Find your registration authority
...and you do not have an NHS CIS2 Authentication account at all:
- you must apply for your Care Identity by contacting your registration authority - see Obtain a Care Identity
- see also - Find your registration authority
Once you have your Care Identity, ensure that the email associated with your DoS account and your Care Identity account are up to date.
If you log into DoS via a shared DoS username (username/password used by multiple individuals)
...and you have an active NHS CIS2 Authentication account:
- you must request an individual username for DoS - see Request a new DoS account
- when prompted for a reason ("Tell us why you need access to NHS Directory of Services") say: 'I currently use a shared username (provide username you currently use) and require an individual username for MFA readiness.'
- ensure that the email associated with your DoS account and your NHS CIS2 account are up to date
- for further guidance see Updating your email address
...and you have an NHS CIS2 Authentication account but it is not active:
- you must request an individual username for DoS - see Request a new DoS account
- when prompted for a reason ("Tell us why you need access to NHS Directory of Services") say: 'I currently use a shared username (provide username you currently use) and require an individual username for MFA readiness.'
- you will need to contact your local registration authority agent who will be able to take you through the necessary steps to reactivate your CI
- see also - Find your registration authority
...and you do not have an NHS CIS2 Authentication account at all:
- you must request an individual username for DoS - see Request a new DoS account
- when prompted for a reason ("Tell us why you need access to NHS Directory of Services") say: 'I currently use a shared username (provide username you currently use) and require an individual username for MFA readiness.'
- you will also need to apply for a Care Identity by contacting your registration authority - see Obtain a Care Identity
- see also - Find your registration authority
Once you receive your individual DoS username and Care Identity, ensure that the email associated with your DoS account and your Care Identity account are up to date.
For all technical issues or requests related to MFA for DoS, raise a ticket on ServiceNow by contacting us through one of:
- Service Now Portal (preferred option) - enter 'MFA-DoS - ' before your query in the 'short description' box
- Email [email protected]
- Telephone 0300 3035035 - please call if your query is urgent
Updating your email address
All users must ensure that they have a valid, up-to-date, accessible email address associated with both their individual DoS account and their CIS2 account.
Updating an email address in DoS
This can be done within the DoS system by following these steps:
- Log into your DoS account.
- Click Account in the top right corner.
- Under My Account Details, check the Email Id box.
- If this needs updating, click the box and enter the email address required.
- Click Save at the bottom of the section to save.
Updating an email address in CIS2
This can be done by a user with a registration authority role, or by the user via Care Identity Management.
To do this:
- Log on to Care Identity Management.
- Click View your profile.
- Under Personal Details, find your email and click the link to Change.
- Enter your contact details and click update to save.
Obtain an NHS CIS2 Authentication
NHS CIS2 authentication allows for a seamless and secure login process. To learn more about NHS CIS2 Authentication, visit NHS CIS2 Authentication.
As part of NHS CIS2 Authentication, all DoS users will need a Care Identity with a locally approved authentication method. The acceptable authentication methods are:
- smartcard (HSCN and internet)
- Windows Hello
- iPad
- security key
- MS Authenticator
If you do not already have a Care Identity with a locally approved authentication method, contact your organisation’s local registration authority (RA) to have a ‘Directory of Services System’ position created locally. This position must include the parameters:
- Role R8008, admin/clinical support access role
- Activity B0166, Directory of Service UI Access
If you do not know your local RA then see Find your Registration Authority.
For DoS users that have not previously had an NHS Smartcard or Care Identity, the local RA will either arrange a face-to-face meeting or invite the user to apply for a national verified digital identity via Apply for Care ID. For help with Apply for Care ID as an applicant, you can view the support pages.
Decide and approve the authentication method
For any staff members who have created a Care Identity during this process will need to be issued an approved NHS authenticator. Registration Authority teams can bind any of the below authenticator options:
- NHS Smartcard
- Windows Hello
- iPad
- security key
- Microsoft Authenticator
- NHSmail (currently in private beta)
For more information on issuing authenticators as an RA, read our guidance pages.
Process care identity requests for DoS UI users who do not already have a Care Identity
RAs can register users in Apply for Care ID or Care Identity Management (directly, or by the ESR link) and issue an authenticator.
RAs should assign a new or existing position to the user profile(s) as per instructions above (see Decide Access Profile Configuration).
Amend the Care Identity profile if a DoS UI user already has a Care identity
RAs should check that the user has an NHS authenticator bound and active.
RAs should ensure access is assigned as per the instructions above.
RA actions to support these changes
To support these important changes you will need to ensure that RA agents are aware of the need for an approved authentication method to access the DoS. These must be one of either:
- smartcard (HSCN and internet)
- Windows Hello
- iPad
- security key
- MS Authenticator
View more information about these authenticator options.
You must also:
- process the authenticator requests for DoS users who do not currently have one, in a timely manner, when they submit their application
- process requests for the DoS application access position to be added to existing users with an appropriate authentication method in place
Actions for local IT teams
DoS users will use their local authentication method and CIS2 to login to DoS. This will replace the current username and password login process via the DoS login page.
Local IT teams need to ensure that devices are set up according to the requirements for the authentication option selected. See NHS CIS2 Authentication - authenticator options for more information.
For smartcard access see guidance for configuring NHS identity to work with NHS Smartcards.
Actions for DoS user administrators
All users of the DoS UI will use a Care Identity with an appropriate authentication method to login to DoS via CIS2. This will replace the current username and password login process via the DoS log in page.
Resolution of shared account access to DoS
The requirement to use MFA to log into DoS mandates that all access to DoS must be via an individual account.
If you currently manage DoS users who access DoS using shared accounts, then this will need to be resolved.
All users who access DoS in this way will be asked to request a new individual account. See If you currently use DoS with a shared account.
As part of this request, they will be asked to link their Care Identity and validate their authentication option.
Authorisation of the DoS account will happen in the same way. The user will validate their email, and you will authorise access as appropriate.
Once authorised and active, the user will be able to use their CIS2 login to access DoS.
At a point in time, after the interim implementation period, the shared accounts will be deactivated.
Actions for DoS leads
You will use your care Identity with your chosen authentication method to log in to DoS via CIS2. This will replace the current username and password log in process via the DoS log in page.
Your access to DoS will be the same as defined above, using an individual DoS account linked to you chosen Care Identity and authentication method.
Any issues should be raised via the helpdesk - see section Guidance for troubleshooting any issues.
Last edited: 20 May 2025 5:21 pm