We are enabling multifactor authentication (MFA) for production applications

On 13 November 2023, we are enabling multifactor authentication (MFA) for production applications.

You will need to setup MFA to access or edit:

  • the public key
  • API keys
  • the callback URL
1 Like

Are we able to setup MFA before 13th November?

We may need to troubleshoot the MFA setup, in which case there will be a period of time where we can’t guarantee that we can check or update settings for our production applications.

Hello, you are not able to configure MFA prior to 13th November as this is the feature release date. In the unlikely event of any issues, please contact us and we will be able to assist.

Great work @scott.williams10 and team.

I know there was some thinking about applying it to everything, but you’re probably right, use a step up MFA to cover the sensitive stuff, rather than the whole experience enabled by the developer account.

I wonder what others think?

That’s not the way other major systems I work with work (GitLab, GitHub, AWS) - it’s an account level setting required at login, not something asked for at particular points.

What MFA’s are supported ?

What about allowing different members of a company access to the protected sections - how’s that going to be supported ?


This is being added as a “Step-Up” authentication as we did not want to add any additional complexity to the journey. It is very much focused on that specific area to ensure security.

We support a standard range of MFA Authenticators (Microsoft Authenticator, Google Authenticator and Free OTP)

For different members of the organisation, as this is Step-Up MFA, we are not restricting this to different members. They would just authenticate as normal and then when they get to the Security Details section, they will be asked to set up Step-Up MFA. This has been done as to not invalidate the setup structure of the accounts. As is the current process, only App Admins and Team Owners can see the Security Details area. Viewers will still not have sight or access to this area.


I was just able to go to hXXps://onboarding.prod.api.platform.nhs.uk/MyApplications/ApplicationDetails/EditAPIKeys?appId=xxxxxxxxxxxxx and see both the key and secret, no MFA setup was prompted.

Did I misunderstand where MFA would be required as of yesterday ?

1 Like

What do we need to do in order to configure MFA?

Has the MFA feature actually been released?

Please see content on MFA here: Multi-factor authentication (MFA) policy - NHS Digital and info here: Microsoft Authenticator - NHS Digital

There is a contact you can refer to who will be able to support you.



We we’re aware of an issue post release and have been working to fix. The fix has now been successfully deployed and step-up MFA has been enabled.