Relaunch of MMH mobile app
The Manage My Health mobile app will shortly return to service following a comprehensive review of our security controls. Since the breach incident, we have completed containment and remediation work and commissioned multiple independent vulnerability assessments and penetration tests across all applications. Based on this independent testing, we are satisfied that the platform is secure and safe to return to use.
The relaunch of the mobile app restores a key access point for patients and practices, enabling appointment bookings, prescription requests, results access and secure messaging in one place. We recognise the disruption caused by its temporary withdrawal and have taken this opportunity to strengthen the platform before bringing it back online.
Introduction of mandatory 2-step-verification
At the same time, we are introducing mandatory two-step verification across both the mobile and web versions of Manage My Health. Previously, this was optional following consultation with sector partners, particularly to avoid creating barriers for elderly patients and those with limited digital access. In light of recent events and changing risk expectations, two-step verification will now apply to all users.
When logging in, users will enter their password and then confirm their identity using a one-time verification code. By default, this code will be sent via email, with the option to use an authenticator app such as Google Authenticator or Microsoft Authenticator. Patients will be guided through the set-up process, supported by FAQs, instructional material and dedicated support to assist with enrolment.
1. What is Two-Step Verification?
Two-Step Verification adds an extra layer of security to your account.
In addition to your username and password, you must enter a one-time verification code to confirm your identity when logging in.
This helps protect your personal and health information from unauthorised access.
2. Why is Two-Step Verification now mandatory?
Two-Step Verification is now required for all users to provide consistent protection for sensitive health information.
It helps:
- Protect your personal and medical data
- Prevent unauthorised access
- Improve overall account security
3. Can I turn off Two-Step Verification?
No. Two-Step Verification is required for all users and cannot be disabled.
4. Can I log in without Two-Step Verification?
No. Two-Step Verification is mandatory for all users on both the web portal and mobile app and cannot be turned off.
- Two-Step Verification in Web portal: Email verification or Authenticator App
- Two-Step Verification in Mobile Apps: Biometrics (Face Id or Touch Id)
5. How does Two-Step Verification work on the web portal?
- Enter your username and password.
- A verification code is sent to your registered email address.
- You will see a “Verify Your Identity” screen.
- Enter the code from your email to complete login.
After your first successful login, you will be directed to your Two-Step Verification settings.
6. How does Two-Step Verification work on the mobile app?
- Enter your username and password.
- A verification code is sent to your registered email.
- You will see a “Check your email” screen.
- Enter the code to continue logging in.
After your first successful verification, you may enable biometric login (Face ID or fingerprint) for faster future sign-ins.
7. Do I need to complete Two-Step Verification every time I log in?
- Web portal: Verification is required when you log in.
- Mobile app: If biometrics are enabled, you may use biometric login, but periodic email verification will still be required.
8. Why is email verification the default method?
Email verification provides:
- Immediate access without extra apps
- A consistent security baseline
- A reliable way to confirm your identity
9. How long is the verification code valid?
The one-time verification code expires after 30 minutes. If your code expires, return to the sign-in screen and request a new code. Always use the most recent email you receive.
10. Can I resend the verification code?
Yes. You can request a new verification code from the login screen, subject to resend limits and wait times.
11. What should I do if I don’t receive the verification email?
- Check your spam or junk folder.
- Ensure your email inbox is not full.
- Wait a few minutes and try again.
- Request a new code if available.
If you still don’t receive the email, contact support.
12. What happens if I enter the wrong verification code?
- You will see an error message.
- You can return to the verification screen and try again.
- Multiple failed attempts may temporarily lock your account.
13. What happens if I get a verification code I didn’t request?
Do not share the code with anyone. This may indicate someone is attempting to access your account. Contact support if you are concerned.
14. How many incorrect verification or login attempts are allowed before my account is locked?
A maximum of 4 incorrect attempts is allowed.
On the 5th unsuccessful attempt, your account will be temporarily locked.
15. If my account is locked due to multiple incorrect attempts, how long will the lock last?
Your account will be automatically unlocked after 2 minutes.
16. How many OTP resend attempts are allowed on the mobile app?
You can resend the OTP up to 2 times.
On the 3rd resend attempt, your account will be locked for 3 minutes.
17. Can I use an authenticator app instead of email?
Yes, on the web portal only.
After your first login, you can change your verification method in your Two-Step Verification settings.
Authenticator apps are not supported on the mobile app.
18. What is Authenticator App Verification?
Authenticator App Verification is a more secure way to protect your account using Multi-Factor Authentication (MFA).
After entering your username and password, you will be required to enter a 6-digit code generated by an authenticator app on your mobile device.
19. Why should I switch to an Authenticator App instead of SMS or Email verification?
Using an authenticator app is:
- More secure (codes are generated on your device)
- Works offline (no SMS or email required)
- Faster and more reliable
- Industry-standard protection used globally
20. Which authenticator apps are supported?
The system supports:
- Google Authenticator
- Microsoft Authenticator
You can download them from the App Store (iOS) or Google Play Store (Android).
21. How do I set up Authenticator App Verification?
Follow these steps:
- Go to Two-Step Verification
- Click Switch to Authenticator App
- Select your preferred authenticator app
- Scan the QR code displayed on screen using the app
- Enter the 6-digit code generated by the app
- Save your recovery codes securely
- Click Complete Setup
Once completed, Authenticator App Verification will be enabled.
22. What if I cannot scan the QR code?
If you cannot scan the QR code:
- Click “Can’t scan the QR code?”
- Copy the secret key displayed on screen
- Enter the key manually in your authenticator app
23. What is the 6-digit verification code?
After scanning the QR code, your authenticator app will generate a 6-digit code.
Enter this code on the setup screen to complete the verification.
The code refreshes automatically every 30 seconds.
24. What are recovery codes?
Recovery codes are one-time use backup codes that allow you to log in if:
- You lose your phone
- Your device is damaged
- You uninstall the authenticator app
- You cannot access your authenticator app
25. When should I use a Recovery Code?
Use a Recovery Code only when you cannot complete the normal Two-Step Verification process.
26. How should I store my recovery codes?
You should:
- Save them in a secure password manager, OR
- Store them in a secure offline location (e.g., printed and kept safely)
Do not share your recovery codes with anyone.
27. Can I use the authenticator app on multiple devices?
For security reasons, it is recommended to set up the authenticator on one primary trusted device.
If you change devices, you should disable and reconfigure the authenticator setup.
28. Can I use Face ID or fingerprint on the mobile app?
Yes. After your first successful email verification, you can enable Face ID or fingerprint login for faster future access.
29. Will I still need email verification if I use biometrics?
Yes. Email verification may be required periodically as part of ongoing security checks.
30. Can I use Manage My Health on multiple devices?
Yes. However, Two-Step Verification will be required when signing in on new or different devices.
31. What happens if I change or lose my mobile device?
Simply install the app on your new device and log in using your username, password, and email verification code.
32. What if my email address is outdated or I cannot access it?
You will need to contact Manage My Health support or your healthcare provider to update your email address before you can log in.
33. Do I need internet access for Two-Step Verification?
Yes. Internet access is required to receive and enter verification codes.
34. What should I do if the verification code is not working?
Please check:
- Your phone’s date and time are set automatically.
- The correct account is selected in the authenticator app.
- You are entering the current (not expired) code.
If the issue continues, try resynchronizing the app or contact support.
35. Can I switch back to SMS or Email verification later?
Yes. You can manage your Two-Step Verification settings anytime from your account security settings.
36. What if my account is locked?
Your account may be temporarily locked after multiple incorrect login or verification attempts.
Please wait until the lock period ends before trying again and ensure you are using the latest verification code sent to your email.
