Written by Technical Team | Last updated 15.08.2025 | 9 minute read
The NHS has spent two decades building secure, auditable access into national clinical systems using smartcards. That model, while robust, was designed for a world of fixed desktops, on‑premise networks and single‑user workstations. Care delivery has changed. Clinicians move constantly between wards, clinics, homes and community settings; they share devices; they need to start a task on one screen and complete it on another. Meanwhile, security expectations have shifted to internet‑based standards, phishing‑resistant authentication and rapid account lifecycle controls. That is the context for Care Identity Service 2 (CIS2): a standards‑based way to prove a health professional’s identity online and authorise access to national services.
At the heart of CIS2 is choice. Instead of forcing every scenario through a physical smartcard and reader, CIS2 enables multiple authenticator types that can be matched to the job at hand. For many organisations, that means keeping smartcards where they’re still the right answer (for example, in a clinical system that hasn’t yet migrated), while deploying alternative authenticators alongside them to improve speed, resilience and user experience.
CIS2 also repositions identity as an internet‑first service. That unlocks secure login from managed devices outside an HSCN‑only network and supports more flexible architectures, including browser‑based access and cloud‑first clinical applications. The practical upshot for digital teams is a smoother path to modern security controls—such as conditional access—and for clinicians, a sign‑in experience that feels familiar from other parts of their digital life.
Finally, CIS2 gives Registration Authorities (RAs) clearer administrative levers to issue, link, revoke and audit authenticators for staff. That improves governance and reduces the operational drag of lost cards and readers. It also creates a safer runway for the transition away from the legacy Identity Agent model as services move to the CIS2 era.
Windows Hello for Business (WHfB) turns a managed Windows 10/11 device into a secure authenticator tied to the person who uses it. Instead of inserting a card and typing a long password, the user unlocks the device with a PIN, facial recognition or a fingerprint. Under the hood, a cryptographic key is stored in hardware and is released only when the person proves they are present. When paired with CIS2, this provides a fast, low‑friction way to authenticate into national services from Windows endpoints that you already manage.
If your clinical workflow is anchored on PCs—think fixed clinic rooms, hot desks in ED, large shared workstations on wards—Windows Hello hits a sweet spot. It removes the brittleness of external readers, reduces the ‘logon dance’ that gums up clinics, and makes it realistic to adopt short lock timeouts without enraging users. Because the authenticator is bound to the device, it’s especially appropriate for endpoints that are already asset‑tracked, encrypted and monitored. It also plays nicely with modern browsers, which is where most CIS2‑enabled services live today.
From an operations perspective, Windows Hello simplifies some of the lifecycle headaches associated with smartcards. There are no certificates to renew on readers, fewer peripherals to lose, and fewer incidents that require urgent RA intervention—though crucially, RAs retain control over enrolment and revocation, ensuring Windows Hello remains tied to a current, vetted Care Identity. Digital teams should plan the rollout as a device project as much as an identity change: the quality of your cameras, fingerprint readers and TPM configuration will dictate how enjoyable the experience feels on a busy clinic day.
Where Windows Hello works well:
Security keys bring a different strength to the CIS2 table: portability across devices and platforms, combined with strong, phishing‑resistant cryptography. A single, RA‑issued key can work on a Windows desktop, a laptop on a trolley or even a thin‑client session, provided the local environment supports modern browsers and USB‑A/USB‑C or NFC. That makes keys particularly attractive in theatres, pop‑up clinics, vaccination centres and anywhere staff rotate between endpoints but still need a quick, consistent login.
The key operational decision with security keys is custody. In some organisations, keys are issued one‑per‑person and travel on the lanyard. In others, keys are pooled at a clinical station and checked in and out like other clinical equipment. Either model can work, but the governance must be nailed down: inventory control, local SOPs for lost keys, a rapid way to revoke and re‑issue, and clear training on avoiding shoulder‑surfing of short PINs. When done well, security keys drastically reduce login friction and support resilient business continuity planning—no reliance on card printers or reader stock during an incident.
iPads fill a gap that smartcards and Windows‑only authenticators cannot: truly mobile, touch‑first working for community teams, ambulance crews and roving ward staff. With CIS2, an iPad can act as the authenticator using the device’s built‑in biometrics. The user unlocks with Face ID or Touch ID and approves access to a CIS2‑enabled clinical application, without juggling a card, reader or tethered laptop. If your organisation has embraced iPads for eObservations, ePMA or digital forms, adding iPad authentication to the mix removes a persistent speed bump from daily rounds.
The human factors pay‑off here is significant. Clinicians already treat iPads as personal work tools; tapping to approve access with a glance or thumb is an intuitive step. Because the authenticator is the device, your MDM policies become the control surface: jailbreak detection, minimum OS version, automatic wipe on repeated failed unlocks, and per‑app VPN if you use it. The key is to unify device governance with identity governance so that when a clinician leaves, both the Care Identity and the iPad enrolment are retired in one motion.
In practice, iPads as authenticators work best when paired with a clear device strategy. Decide whether iPads are one‑to‑one (issued to a named clinician) or shared carts and, if shared, how you will deliver fast user switching. Invest in accessories—carts, cases, charging banks—that keep devices powered and present. And make sure there’s a well‑rehearsed fallback when a device is lost, damaged or out of battery, so clinics aren’t blocked.
The question most boards and CCIOs ask isn’t “Which authenticator is best?”, but “Which authenticator is best for each setting, and how do we run them all safely?” The right answer is almost always a blend. Windows Hello belongs wherever Windows is the primary screen. Security keys are the universal adapter that follow the person across devices. iPads are the mobility layer. Smartcards remain, for now, the compatibility bridge for systems still in transition. What matters is that all of them are issued, tracked and revoked through a single governance lens.
Start with RA readiness. Expand your RA’s remit from smartcards to ‘all authenticators’ by establishing issuance criteria, proofing steps, training artefacts and revocation SLAs for each authenticator type. Update your access policies so that authenticators can be mixed and matched per person based on role and risk—consultant surgeons might carry a key and use Windows Hello in theatre, while community nurses rely on iPads.
Then, design for usability at the point of care. Pilot in a high‑impact pathway with motivated clinical sponsors. Observe the choreography of real clinic sessions: where hands are full, where gloves are on, where staff cluster around screens. Optimise re‑authentication intervals, idle lockouts and browser session policies for the clinical rhythm. If your Windows endpoints are underpowered, budget time to refresh them; no authenticator can compensate for a sluggish device.
Finally, treat the migration as a security uplift. Move away from passwords wherever possible, prefer phishing‑resistant options, and standardise lost/stolen playbooks so service desks can act in minutes. As more national services accept alternative authenticators, build a simple “What do I use where?” matrix for staff and keep it updated in one place. Sustained adoption depends on removing ambiguity.
A pragmatic deployment checklist:
The most successful deployments share a few traits. First, they are boringly consistent: the same login pages, the same prompts, the same sequence regardless of where a clinician happens to be. That predictability is energy‑saving in a clinical day. Second, they build redundancy into the person’s authenticator ‘wallet’. Clinicians are not left with a single point of failure; a surgeon can use Windows Hello at a theatre PC, tap a security key in a side room and approve on an iPad on a ward round. Third, they spend time on the edge cases—locums, bank staff, students—so that temporary staff can be on‑boarded and de‑provisioned without shortcuts or paper forms.
The pitfalls are familiar. Over‑optimistic battery assumptions can sink iPad‑heavy pathways if you haven’t invested in charging and spares. Security keys without clear custody rules end up in drawers, unlabelled and unclaimed. Windows Hello that’s rolled out without checking camera/reader quality breeds resentment and reverts staff to typing passwords. All of these are solvable with a little upfront design and proper clinical engagement.
Looking ahead, the NHS is steadily converging on standards‑based authentication across its national systems. As more services accept the full set of CIS2 authenticators, the case for keeping physical smartcards as the default will weaken. The prize is faster, safer, more humane access in the moments that matter—on the ward, in the clinic, at the bedside or in the back of an ambulance—without compromising auditability or security.
Is your team looking for help with CIS2 integration? Click the button below.
Get in touch