Currently going through this. All work PCs use a webmail link. I work in a lead lined department with a number of Faraday cages. No mobile signal. 15000 employees and not enough money for paper roll for the couch. Work phone lol.
@ultrasound you don't generally need a signal for MFA. Before phones you used to get a keyfob device with a button and LCD display. That didn't use WiFi or 4G.
Why would you put anything for work on your personal device?
So I can log in? Like literally, verify which one of the selection is the the number on the screen. That's it.
Of course its differnt if you are mobile working but then what are you getting your emails on?
The laptop I'm trying to sign in to!
I have no need and no desire to lug around another bit of tech, especially for the sake of a 179mb app (which I already use anyway). That's literally the only thing work need me to use a personal device for other than the vanishingly small chance they'll contact me out of hours which I'd be getting OT for anyway.
Whenever one of these conversations come up, I'm amazed it's not a normal part of the rollout to have the option of a keyfob device that's compatable with the MFA being used. It's not uncommon for there to be a number of poeple in any one group who can't / won't put anything on their own phone. They're not expensive (certainly a lot less than a £400 smartphone just to run a number generating app).
As for leaving the device at work, that drastically reduces the security, the point of MFA is to reasonably confidently say that whoever is signing in has access to "Something you have". If you were given a physical key to something you were to have access to at work, would it be a gross imposition to be expected to take that key home when you weren't at work? I certainly doubt that many people would think it reasonable just to leave keys on their desk at the end of the day. (Yes, I get that keysafes exist, but again that means that "This was opened by the key that only you should have" becomes "This was opened by one of the many people who have access to the keysafe".)
Whenever one of these conversations come up, I’m amazed it’s not a normal part of the rollout to have the option of a keyfob device that’s compatable with the MFA being used.
We have the option of FIDO tokens. But we (the NHS Trusts) would have to buy them/pay the subscription cost for them, which is not financially viable when there's a way which doesn't cost anyone anything - users adding an account to a very small app which they might already be using for other things already in a personal device, rather than more taxpayer* money going on paying for tokens or mobiles for all staff. The NHS are in the shit financially, it can do without that in the budget no matter what staff think...
The other thing non-NHS commenters might be missing in here: This is not a policy the OP's employer are enforcing, this is a change NHS England/NHSMail are forcing on all NHS organisations who use the central tenant. We don't get a say in the matter if we want to keep our email system. Employing organisations are also copping the shitty end of the stick, stuck between an enforced policy change from above and shirty users from below. We've had mandatory MFA on our organisation (an office of an ICB) for two years, but our GP Practices have refused - we've got a few who've lost quite a lot of money in cyber fraud but wouldn't make it essential for all staff. That decision is now being taken out of our, and their, hands.
I'm not saying folks don't have a right to say "I don't want to use my personal mobile", but my harsh thought would then be that "you're wanting to cost me an extra £x per year so **** it, it's cheaper for me just to revoke your access to email."
Also for the non-NHS commenters: not all 'NHS' organisations use NHSMail - it's not mandatory but it has certain advantages (and disadvantages). It was, for a long time, the only accredited Secure email system for the transfer of patient data: where government had GSI, GCSX, we had NHS.net. It's still the most used Secure email system because the alternative is costly accreditation of a Trust's own hosted email server and domain.
* Don't get me started on NHS funding...
Jamze
Egress wanted all sorts of personal info from me. The sort of stuff i am not going to give a commercial outfit.
Maybe different as i am outside the mhs now?
Address. Personal email ni number phone number. 3 pages of personal data and no way of revoking permission to use it
My employer enforced MFA access on me so I just installed the Auth app on my work laptop 😄
I have no idea whether that defeats the objective but it's worked for me for the last two+ years.
I’ve had the same mobile number for 20 years- each time I move employer I port the number to them and they pay my bills. When I leave I take the number back. Saves the two phone situation.
@toby - innevitably security keys/dongles/devices will be left lying on desks, in the drawer under computers, taped to the monitor etc and probably shared between the users who share one password and account too! Not uncommon to see computers with a postit note with the password on it and in NHS security of drug cabinets is often not as good as the written procedure says either. One advantage of a phone is people appreciate it has Value so don’t leave it lying around, and if it’s their own phone are probably likely to be precious about lending it out too.
@ultrasound - the Authenticator apps on phones operate fine with no signal. Presumably not all 15000 people work inside a faraday cage though so even if a small number of users have a genuine concern about phones (eg those in a microbiology lab) the number who need a paid product is far fewer.
@vlad - I don’t think that defeats the purpose, unless you lend the laptop to people or it gets stolen.
Hang on, I am (probably correctly) assuming that this does not apply when logging in from a trusted site. E.G the hospital where you work
So you are either logging in from a trust laptop remotely or accessing NHS mail from a personal device. In which case MFA is perfectly reasonable and sensible. <br /><br />so the option three would appear to be, go into work
innevitably security keys/dongles/devices will be left lying on desks, in the drawer under computers, taped to the monitor etc and probably shared between the users who share one password and account too! Not uncommon to see computers with a postit note with the password on it
Very true this - and its NHS IT security policies that lead to this
I had 3 passwords for different NHS IT stuff. None of them allowed a phrase that was easy to remember, each had different rules as to what was acceptable, each password had a different lifespan until you had to renew it and you couldn't just change a number because if it was too close to the last one it would be refused. This makes it almost impossible to remember your passwords so all were written down
work out of a secure room with no smart phones allowed but there is a separate workstation that I have limited email and Teams access on, only both of those need MFA
No need, contact IT support, tell them the issue, and either get them to remove the need for MFA on that station (because you can't), or organise it so that you can use your smart card (if you have one) or get them to install Outlook on it and get NHS mail that way. problem solved (or made some-one else's)
or get them to install Outlook on it and get NHS mail that way.<br /><br />
That’s how I access nhs mail, but was still told that eventually will not work and MS Teams
Anyhow - don’t download the app and then delete it once you have setup MFA.
When I tried to reinstall the app to my phone it won’t let me login and says look at the app for a code only I can’t because I’m trying to setup the app 😂
Apparently you can verify the app using a QR code from NHS mail, except the only way to access that QR code is via NHS Mail for the web, which requires the app to access 🤔
Think my next approach will be to receive a text message rather than use the app if the IT dept can’t sort out my access again
This makes it almost impossible to remember your passwords so all were written down
Yep it’s ridiculous I use notes in Outllook to record multiple passwords for multiple systems. The passwords have to be that obscure you have no chance of remembering them
There's not really an excuse not to use a password manager/vault these days (vs writing passwords on paper or in Notes etc.), apart from a few niche cases (where you can't take electronic devices into an area you need to use passwords in, such as a secure data centre).
Call me naïve but when my employer offered me a company mobile 20+ years ago I happily said yes and cancelled my personal phone contract - haven't had my own phone since (apart from a brief stint with an emergency phone for MTBing as didn't want to risk trashing the company phone). I'm allowed to use it for personal text/calls/data but in reality it's connected to WiFi 95% of the time so WiFi calling etc. means it's not adding to any phone bill. If I was going abroad I'd just get a SIM/eSIM for that country and switch to it when out there. The only slight issue I've created for myself is when the company transitioned to iPhones it was my first Apple device so I used my work email to create the account, then when I later bought a personal iPad I just used the same account so now all my personal apps are under my company ID which will be a pain to sort if I quit/retire...
I get some people being concerned about snooping etc. if you're mixing work stuff on personal devices but an authenticator app is pretty benign in that context. They're also useful for personal use (if you're doing MFA for personal stuff via SMS or email codes then that's not considered secure these days, you should switch them to using an authenticator app if it's supported).
As for those who've suggested requesting conditional access etc. be set-up for my situation trying to use MFA in a secure environment, good shout I'll ask if that's an option. Although might be more complicated as I connect from the physical desktop to an RDS farm (that's also used by people VPNing in etc. when WFH) to access unclassified email/Teams so unless my origin location can be preserved they'd probably need to set up dedicated a RDS server(s) to disable MFA requirements on and I can't see them going to that much hassle.
The passwords have to be that obscure you have no chance of remembering them
They really don't. Long compound word passwords with some special characters/numbers are just as strong. Use a pattern like 'colour-place!animal(numerals)'. Much easier to remember as you don't remember words more easily.
Yep it’s ridiculous I use notes in Outllook to record multiple passwords for multiple systems
That is extremely insecure. Sticky notes on your monitor would be better! Get a password manager, there are free ones that sync between devices.
nixie - the point is that the rules used for passwords make it almost impossible to remember them especially when you have 3 different ones and all have to be changed regularly and at different intervals. Over a year I would have had to remember at least 9 different ones
then password manager on your phone, authenticator app might even offer that function too IIRC.........
I understand want the point is TJ, the patterns help with the memory. Even using the same password for each system with the system name added to it's end (for uniqueness) would make them memorable.
The frequent changes I think has been proven to decrease security as is just annoying. Pretty sure it's not best practice anymore.
Even using the same password for each system with the system name added to it’s end (for uniqueness) would make them memorable.
Not acceptable under the rules. Nor could you make minor changes to the passwords at each renewal
it was something like ( and different for each system) 12 characters including one capital and 2 special. A password that would fit the rules for one would not fit the rules for another and at each password change yo had to create a completely new one - not allowed to modify the one you had. this was relaxed after a while because IT were fed up of having to do resets every time someone logged on.
However the password rules made it very difficult to remember passwords
Get a password manager, there are free ones that sync between devices.
Impossible on an NSH device (with avg IT skills) we are blocked from downloading anything, and even when you go to IT they say no
Very true this – and its NHS IT security policies that lead to this
I had 3 passwords for different NHS IT stuff. None of them allowed a phrase that was easy to remember, each had different rules as to what was acceptable, each password had a different lifespan until you had to renew it and you couldn’t just change a number because if it was too close to the last one it would be refused. This makes it almost impossible to remember your passwords so all were written down
Which is why the world has moved on to a single secure password and MFA.
That is extremely insecure. Sticky notes on your monitor would be better! Get a password manager, there are free ones that sync between devices.
If Outlook is locked behind the same MFA and password as your login, why?
Impossible on an NSH device (with avg IT skills) we are blocked from downloading anything, and even when you go to IT they say no
For a while, NHSMail used to specifically prohibit it, was never sure why. But - whoever told you it would apply to Outlook has the wrong end of the stick. MFA only applies when you're accessing stuff on the Tenant (NHSMail/Teams/Office apps) from a web browser, or setting Outlook up on a new device for the first time. It won't apply each time you log into Outlook on the same PC/laptop.
For those whinging about password policies, NHSMail is one of the more sensible ones: Minimum length of 10 characters, without requiring a mix of character types or cases. Not matching your previous four passwords. Not detected as a common password (password123, winter2021 etc), and only has to be changed annually.
They've also published the 'Security Groups' guidance that will allow Trusts to set specified secure locations/conditional access by IP boundary where MFA isn't required. MFA will still have to be set up on the account, but inside that boundary it won't be actively used.
We have the option of FIDO tokens. But we (the NHS Trusts) would have to buy them/pay the subscription cost for them, which is not financially viable when there’s a way which doesn’t cost anyone anything
Fair enough, but I wasn't talking about having a whole extra system, just the tokens that go on a keyring and give you a number when you press a button. As I understand them, they're doing the same function as phone-based authenticator apps, maths based on the current time + a secret number, you just need to initialise them slightly differently for users with one. They seem to cost about a tenner rather than the £400 that someone seems to be threatening to spend to give the OP a smartphone that will do nothing other than run Google Authenticator. Surely it should be expected that 1-5% of a given population will use a (non-smart) phone / have a windows Phone / get shirty about being asked to install something like this?
I had 3 passwords for different NHS IT stuff. None of them allowed a phrase that was easy to remember, each had different rules as to what was acceptable, each password had a different lifespan until you had to renew it and you couldn’t just change a number because if it was too close to the last one it would be refused.
Yeah, that is particularly bad, much of that is now regarded as bad practice by many people. Thankfully, I slowly see better ways of evaluating password "strength" gaining traction in the IT world. However a lot of places seem wedded to prescriptive rules that in theory make passwords easier to crack (If I need to work my way through all 20-character strings, it's a lot quicker if I can eliminate a high percentage that don't match the given rules. Also "Generate random password" functions in password managers don't generally offer passwords to match the rules given. Balanced with that, though, is stopping people using "Password1").
My questions do remain though that if you were given, say, a key for a filing cabinet full of patient records, would you a. regard it as such an imposition to be expected to keep it with you and take it home? And b. Also regard it as acceptable to just leave it on your desk when you went home?
Very true this – and its NHS IT security policies that lead to this
The NHS doesn't pay IT teams well enough to get people who genuinely are passionate about frictionless security, and have both the technical skills to do it and the people skills to achieve it in an organisation of that scale! Everytime we hear complaints about too many managers costing too much money etc - what we are doing is saying, make the clinical teams jobs harder by having fewer or poorer non clinicians who fall into tick box culture.
I had 3 passwords for different NHS IT stuff. None of them allowed a phrase that was easy to remember, e.g.
I bet they did with a little imagination!
10GBHoaW&i1SAF!
Would be accepted on almost any password rules but is easy to remember - because its a line from a song/nursery rhyme:
TEN Green Bottles Hanging on a Wall AND if ONE Should Accidentally Fall !
each had different rules as to what was acceptable, each password had a different lifespan until you had to renew it and you couldn’t just change a number because if it was too close to the last one it would be refused.
This last point is interesting, because it implied that they know your password not just the hash of your password which is basically security rule 1. I'm not saying it doesn't happen. I have to deal with a system that won't let me recycle passwords (i.e. they keep the old hashes and compare them) but not similarity. Of course simply going Pa$$w0rd1, Pa$$w0rd2, Pa$$w0rd3... etc is shit security. Personally I'd have seen it as a challenge to work out how to bypass such an automated tool. e.g. Pa$$w0rd_ONE, Pa$$w0rd_TWO,... or Pa$$w0rd_OCT, Pa$$w0rd_NOV, etc
This makes it almost impossible to remember your passwords so all were written down
Of course you don't want to use the same password everywhere - but you can extend: 10GBHoaW&i1SAF! to become:
EM+10GBHoaW&i1SAF!
DB+10GBHoaW&i1SAF!
SY+10GBHoaW&i1SAF!
For email, database and system respectively. That's not ideal, because if you crack one you can start to guess others - but lets be clear 99% of hacking is not based on intelligence like that. I use an approach like that (but marginally more complex) for most websites etc - and essentially "know" hundreds of passwords. Only very rarely will I encounter a system that has a stupid rule like "&" is not permitted in passwords or max 8 characters. I have 2FA turned on anywhere that lets me too.
Fair enough, but I wasn’t talking about having a whole extra system, just the tokens that go on a keyring and give you a number when you press a button. As I understand them, they’re doing the same function as phone-based authenticator apps, maths based on the current time + a secret number, you just need to initialise them slightly differently for users with one.
Those are RSA tokens (or similar) - can't be used on the modern systems, they're quite an old tech. The mobile Authenticator apps aren't necessarily just a code generator like that any more, they're a live system - hence we get into the debate of what needs signal to work etc. The only viable alternative NHSMail accept is FIDO2 (plug-in USB type tokens), but there's issues with those - mainly another security policy of USB ports being locked down etc.
Those are RSA tokens (or similar) – can’t be used on the modern systems, they’re quite an old tech. The mobile Authenticator apps aren’t necessarily just a code generator like that any more, they’re a live system
Ah, fair enough. I'll admit my looking into it has been a bit superficail, but some pages selling physical tokens were at least heavily implying they did the same as the likes of Google Authenticator app. And yes, I get there are other processes to do MFA on a mobile, but as you say, they then have their own set of problems.
I remember the fun of trying to log into PayPal while staying with a friend in an area with poor signal. The SMS was only valid for something like a minute so I had to click the request, sprint to the top of his drive until my phone bleeped and then sprint back to the kitchen table where the computer was, generally to be told it had expired. Thankfully the implimentations seem to be more sane these days.
My questions do remain though that if you were given, say, a key for a filing cabinet full of patient records, would you a. regard it as such an imposition to be expected to keep it with you and take it home? And b. Also regard it as acceptable to just leave it on your desk when you went home?
We would never be allowed to take it home. Gross security breech
some pages selling physical tokens were at least heavily implying they did the same as the likes of Google Authenticator app.
OK, I had another look, and this definitely says it does RFC 6238 TOTP codes, which I'm pretty sure is what the likes of GA does.
https://www.microcosm.co.uk/order/product.php?ProductID=387
So, if you're using a GA-like code generation app for MFA, you should just be able to give any employee who can't / won't use GA on their own device one of these at a lot less than a work-smartphone dedicated to the job. Yes, you need a means to get a common key between their login record and the device you give them, but it's still a lot less than giving them a smartphone, surely?
I realise that the if in that above is doing some heavy lifting, but it must be one of the most commonly used MFA methods, and surely it should be a consideration when choosing an MFA method.
OK, I had another look, and this definitely says it does RFC 6238 TOTP codes, which I’m pretty sure is what the likes of GA does.
Regardless of what they do, they're not an approved method on the NHSMail tenant
(If you're reading up on what's approved and what isn't, the whole policy is publicly available (I think) at
)
Only very rarely will I encounter a system that has a stupid rule like “&” is not permitted in passwords or max 8 characters.
All 3 of mine had rules like that but all different.
If Outlook is locked behind the same MFA and password as your login, why?
Because passwords should not be stored anywhere in plain text. You have not idea how that data is stored behind the scenes. I'm note 100% sure for O365 however past versions had a local copy of the mailbox including notes that is insecure. Passwords should be hashed (one way operation) or encrypted using a suitable strong encryption method.
Only very rarely will I encounter a system that has a stupid rule like “&” is not permitted in passwords or max 8 characters.
Or no ; " ' etc which IIRC harks back to SQL injection attacks! Absolutely no reason not to allow any of these values in passwords as the actual character never* makes it to any form of persisted storage.
* shouldn't
Regardless of what they do, they’re not an approved method on the NHSMail tenant
(If you’re reading up on what’s approved and what isn’t, the whole policy is publicly available (I think) at
Fair enough. The fact that document says that the MS Authenticator doesn't need an internet connection suggests to me it's very similar in nature if not the same as the Google authenticator (which I can find confirmation of the actual process it uses). My point still stands whether the restriction is technical or policy based that a minority of employees can't / won't install something on their own phone, which should have been forseen. In an organisation the size of the NHS it strikes me as poor policy if the fallback position is to buy a £400 smartphone when a £10-£15 keyring would do the same job.
In an organisation the size of the NHS ...
This is probably part of the issue! "The NHS" is not one single cohesive organisation, no matter what people think: It's lots of small ones that fight with each other all the time. There are very few 'whole NHS' policies - this MFA policy is being chucked in place by NHSMail themselves, but it's up to each individual organisation as to how they sort themselves out. My particular office (450 staff), no-one has ever objected to having the Authenticator app on their mobile, but our view is that it's up to them and their Line Manager to decide whether they request a works mobile, and up to their individual team to fund that mobile if necessary. We have a budget cap of £150 per mobile, probably half the staff have works mobiles, but had them before MFA was enforced: No-one has ever had one issued solely for MFA. But I also support 4,000 staff over 90 GP Practices, we don't supply their mobiles at all, it's up to each Practice as an individual business as to how they do this for their staff. We're advising that if they want FIDO tokens, they will have to fund them for themselves (though probably bought through my team for the technical management and support).
And agree that your point stands, but it's also moot: If an RSA token won't work technically on a platform with 1.7 million users, then there's no point saying "but it does the same job..." People's objections probably were foreseen, but on a platform of ~1.7 million users, that doesn't mean a security policy should be changed to account for a minority who also probably won't be happy whatever you do.
Policy as per that doc is that one mobile method has to be in place, then you can add Smartcard or FIDO token, it's up to the user and their individual organisation/line manager as to how they have that mobile method.
I think one of the issues with NHS IT is the gulf between the users and the IT professionals. What seems straightforward logical and normal to the IT folk is confusing to many of the users. There literally were some staff on my team who had never used a computer or smartphone
@tjagain, is spot on. What might be logical and easy for some-one with IT experience is much less so for say; a Practice Nurse who's nearing retirement and has only just got to grips with following templates to input patient data (one of my staff). Start those guys off with needing MFA and you're onto a loser. But again, this isn't an individual's issue to solve, and again @tjagain is right here, just becasue an organisation has deemed MFA as the way forward does not automatically mean that individual workers can comply with it. If they can't, for whatever reason, then the organisation needs to come up with an alternative that the employee can use to do their job, not the other way around.
I think one of the issues with NHS IT is the gulf between the users and the IT professionals. What seems straightforward logical and normal to the IT folk is confusing to many of the users. There literally were some staff on my team who had never used a computer or smartphone
(Slightly playing Devil's Advocate and possibly being a little antagonistic with you here, TJ, but meant a little tongue-in-cheek...)
You know that comment you (I think) made about "being given the tools you need to perform the job" ? These systems are tools you need to perform the job these days. It's not that they're all straightforward and logical to 'us IT folks' - the various Clinical Record Systems confuse the hell out of me - but these aren't things that you can avoid any more. It's part of each individual's job to be able to use the necessary systems and tools for that job, whether that tool is a hospital bed with 100 different position buttons, or a PAS/Prescribing/Clinical system unit on a PC.
I have regular arguments with the older nurses in our Continuing Healthcare team, and while I sympathise that they didn't grow up using computers like I did, and it's not the whole of their job, there's no excuse for not keeping up with the use of an essential tool for your job. I can provide as many training materials as you like, but if the end user shrugs their shoulders and goes "I don't really do computers..." with a smug grin on their face, there's nothing I can do to help them
Because passwords should not be stored anywhere in plain text. You have not idea how that data is stored behind the scenes. I’m note 100% sure for O365 however past versions had a local copy of the mailbox including notes that is insecure. Passwords should be hashed (one way operation) or encrypted using a suitable strong encryption method.
I get that but without a decent manager it's the only real solution I have. Why Windows doesn't have Authenticator built in (or at least the password manager function) I have no idea, Apple have had it for years.
The only viable alternative NHSMail accept is FIDO2 (plug-in USB type tokens), but there’s issues with those – mainly another security policy of USB ports being locked down etc.
What about whitelisting certain device types?
Windows does send authentication requests, and edge does have a password manager built in
At the risk of antagonising loads of people but really not intended to. @pyro is correct. Simply saying “I’m not IT literate” is not an excuse for not being able to use a computer these days, as they are an essential part of modern workplaces.
Pyro
It wasn't me that made that comment I don't think
The issue is not so much the "refusniks" like you describe - its the gulf in comprehension. IT folk simply cannot understand that what seems logical normal and straightforward to them is not to users. The users cannot understand why it has to be done in this awkward manner. The two sides lack enough common ground to even understand each other
the various Clinical Record Systems confuse the hell out of me
Yup - works both ways. Some of the stuff I used this was so obvious that the Medical staff advising the IT staff had not managed to make it clear4 what the need was. Like they were talking two different languages
Windows does send authentication requests, and edge does have a password manager built in
I never said either of those things weren't the case but they're also nothing to do with what I said.
Besides which, browser password managers aren't much more secure than Outlook notes if the machine itself is compromised.
Even a lot of IT folk struggle.
It's mostly accepted now, but we had the MFA arguments and refusals several years ago. Me too, but in my defense, sms was the only option then, and that involved a 500m walk for me.
Even now, we're having to argue why people should be using hardware keys for their MFA, and struggling to get buy in and adoption.
So yeah, I have some sympathy for non IT professionals.
The machine potentially needs MFA to access, the contents of the file are on a bitlocker encrypted drive.
The edge account cant be accessed elsewhere without MFA also potentially.
I guess you could argue the same with having it in Outlook somewhere.
we do distribute a password manager here as it satisfies our compliance rather than the edge stored stuff
And what TJ said
as an IT admin it is frustrating.. i see it as helping the staff and business and its no big ask, yet sometimes the attitude is, well i need a work device then......And in my work, people who receive a work phone can take use it as a perk (i haven't had a personal phone in forever) and that may also be seen as benefit when it's salary review time.
IT folk simply cannot understand that what seems logical normal and straightforward to them is not to users. The users cannot understand why it has to be done in this awkward manner. The two sides lack enough common ground to even understand each other
I sort-of agree with you, TJ. A good percentage of my job is trying to translate the technical side into plain English for our non-IT Senior Management Team, and I understand why others don't have the same IT skillset I do, same as I don't have the nursing skillset that the people I argue with do. I sometimes wonder if it's because non-IT users think we're doing this stuff just to antagonise them*.
And not everything we do in IT is logical and straightforward. Some things are as convoluted as hell, but it's even harder to explain to a non-IT users that sometimes the reason we do this this way is because that's the way we have to do it. There's no point me getting into the technical logic because they wouldn't understand and don't really need to, but it's the same as a parent saying "because I said so" to a teenager - some might be accepting, some will be belligerent. Applying your "the users cannot understand why it has to be done in this awkward manner" to this particular MFA issue, the problem is that 'it has to be done this way because NHSMail have said it has to'. There's little point a user arguing with me that they don't like it/can't understand it/don't want to do it, I'm just applying a policy that's been passed down from above.
*We're not, just for the avoidance of doubt.
