IDG News

Multi Factor Authentication - Update

To ensure our systems are compliant with the security standards recommended by the NCSC (National Cyber Security Centre), we are implementing Multi-Factor Authentication when logging into our systems. 

This will mean when you log in, the email address associated with your account will be sent a  One Time Passcode (OTP). This will be sent via email from identity@nihr.ac.uk

The Passcode will be valid for 15 minutes

You will then need this Passcode to log in. 

Once you have logged into the system with your OTP you will not need to do so again for or any other system connected to the NIHR's Identity Gateway for another 30 days, providing that: 

• Your account is accessed from the same browser and device

• You have not cleared your browser cookies/cache

• You are not logging through a private/incognito window

• You are not logged in via a new browser profile

• You are not logged in with a different account

• You are not logged in via a different browser

How to prepare for this update.

Ensure that you have access to the email inbox associated with the account and can easily retrieve the passcode once sent. The passcode will only be valid for 15 minutes. 

If you do not receive the code within 15 minutes of signing in, please contact your local IT team and ask them to add identity@nihr.ac.uk to the allowed list on the local IT mail gateway.

Password Changes

On Tuesday 20 September 2022 we implemented stronger password rules to access CRNCC systems that use the IDG login. This  included a mandatory password change required to improve security. This mandatory change only applies to people who access IDG through a non-NIHR account. NIHR accounts have already had this change applied. 

The forced change applied to all users logging in after 20 September 2022 and therefore access to all ongoing or new studies and services will be impacted.

What is changing?

Stronger password rules are being implemented to all systems accessed via the NIHR Identity Gateway (IDG).  

These systems include: NIHR CPMS, CRN Finance Tool, Open Data Platform (ODP), and NIHR Learn; and some HRA systems including the new are of IRAS, E-Submission of Amendments, Online REC Booking. 

From 20 September, you will be required to update your login password to a minimum length of 12 characters. 

What do I need to do?

Now the password rule is applied,  you will need to manage the change  via the email inbox linked to the account you are using. 

Whilst, this will be a one -off change, we will soon be implementing further authentication updates, which will require ongoing access to the email inbox associated with your IDG login. 

Therefore, if you are using a generic/shared account to login and manage your studies, you must ensure that all team members have access to the email inbox associated with the IDG account.

 Please note that whilst we acknowledge the business continuity benefit of using shared/generic accounts, this practice reduces the protection of the account. It is recommended that you arrange for all users to have separate accounts and for study access to be granted to all relevant staff. Details of how to create a new IDG account can be found on the IDG Portal. Guidance on adding users to CPMS studies and IRAS projects can be found in the relevant system guidance. 

Why are we doing this  ?

While being able to access our IT systems online makes them easier for you to use, it also increases the risk of cyber-attack or hacking. As part of on-going improvements to keep NIHR/HRA data safe, we are increasing the level of protection around accounts that use our IT systems. We are doing this in line with the guidance provided by the National Cyber Security Centre through their Cyber Essentials standard, and in line with the requirement of DHSC that we follow this guidance.

Advice on Passwords

 The National Cyber Security Centre advise the use of Three Random Words to make your password easier to remember and hard for a hacker to crack. The new rule will be that your password must have a minimum length of 12 characters. Length is a better way of protecting passwords than complex rules, and the requirement for lots of different character types will disappear. However you can still use them if you want. For more detail on choosing (and remembering) a good password see the NCSC password setting guidance 

Need to know more ? 

If you need to know more about this change, then you can contact the CRN Service Desk at crn.servicedesk@nihr.ac.uk or on  0207 333 5894