MFA requirements for native login system when integrating with NHS Login

Hi all,

We’re currently looking to implement NHS Login within our platform and would appreciate some clarification around our native MFA expectations.

1. Referring to the DAPB3051 standards, our application will require low verification and strong authentication levels. When we integrate NHS Login, is there a requirement for our native (non–NHS Login) authentication method to have mandatory MFA enabled for all users? Or is it acceptable for MFA to remain optional within our own login flow?
2. In terms of MFA options, we are considering a flow where users would authenticate via a magic link (sent to email) and then use a password. Is this considered an acceptable MFA combination? This approach isn’t commonly used in other similar applications so we’re keen to understand whether this would meet security expectations.

Any further guidance or examples would be greatly appreciated! Thanks in advance.

Christina

For context, the DAPB3051 standard is published on behalf of the Department of Health by NHS England - the Data Alliance Partnership Board. Any app to be used in the NHS or Social Care in England must be compliant with the standard and commissioners must refer to this standard.

NHS login is compliant to the standard

Where NHS login is used alongside a native ID verification and authentication system, both parties need to be compliant to the standard.

If a product assesses itself to require Strong Authentication, this must be exhibited by an NHS login authentication journey and a native authentication journey. Likewise if the standard notes Basic auth is only required, then that is what can be implemented.