AMS SAR Portal Notice: 2FA

We are implementing a change to the AMS SAR Portal as part of our ongoing process of continuous security improvements.

From 16 July 2024, Two-Factor Authentication (2FA) will be enforced on the AMS SAR Portal for all Internal users with access to the Client or Admin areas who do not already have this setup.

There are 3 options for 2FA:

Authenticator App 
SMS
Email

The system will enforce at a minimum of Email for Two-Factor. If you choose the authenticator app, all main apps are supported including Microsoft Authenticator and Google Authenticator, and this option does not require an internet or cellular connection.

Normally you use your email address and password to log into your account. Two factor authentication (2FA) is an additional way of checking that it is really you when you log in to your account.

In addition to your email address and password, you will need to set up a second form of authentication, such as an authentication app on your mobile phone, text message or email. This second layer of security is designed to prevent anyone but you from accessing your account, even if they know your password.

After this has been set up, when you log into your account, you will have to provide a 6 digit code, which will either be emailed to you, sent to your phone via SMS, or from your authenticator app, depending on which option you chose.

If you have not set this up before it is enforced, the system will automatically prompt you to choose which option you prefer to use and set it up for you.

Enforcing 2FA is part of the NHS policy to protect patient data. Cyberattacks pose a risk to patient privacy because hackers could access sensitive information. Two factor authentication provides additional protection against these attacks.

• Up to 80% of data breaches can be prevented by simple actions like enabling MFA – Source: DBIR, 2020

• Over 93% of healthcare organisations experienced a data breach from 2017 to 2020 – Source: Herjavec Group, 2020

• More than 99.9% of accounts compromised by cyber-attacks can be blocked by using MFA – Source: Microsoft, 2022

Enhanced Security: 2FA transcends reliance on passwords alone. By combining factors like something you know (password), something you have (a device or token), or something you are (biometrics), 2FA fortifies your account against attacks.

• Prevents Unauthorised Access: Even if an attacker steals or guesses your password, 2FA acts as an additional barrier preventing unauthorised access.
• Seamless Remote Work: As remote work becomes the norm, 2FA ensures secure access to AMS SAR Portal resources from any location without compromising safety.
• Compliance and Trust: Adhering to regulations (such as GDPR) is essential. 2FA safeguards sensitive patient data, maintaining compliance and fostering trust.

You can control the enforcement settings in the Admin area, Security, then Multi-Factor, and Options:

By default, from July 16th this will be enforced for all Internal Users with Email as the minimum option, but you can also disable this if you want to force users to use SMS or an Authentication App.

This only applies to Internal Users (Request Handlers and Admins), it does not affect Requesters when they create an account on the portal to make a request. However, you can also enforce the rule for Requesters (External Users), and Contributors if you want to.

The 1st time an Internal User logs in after this has been enforced, they will be prompted to choose their preferred 2FA method:

If using Email or SMS, you will be emailed a code to enter to set this up, and then each time you log in, the system will email you a new code. For those that want to use an Authenticator App, there will be an option to scan a QR code.

Thanks for reading!