Multi-Factor Authentication Help
The NPDB requires the use of multi-factor authentication, or MFA, for all user accounts. MFA requires something you know, such as password, and something you have, like a mobile phone, for authentication. It is a more secure method, so frequent password changes are not necessary. MFA is required to access all NPDB user accounts. The Department of Health and Human Services' External User Management System, or XMS, administers MFA for the NPDB.
How do I enable MFA for my account?
- On the Sign In To Your User Account page, select Sign in with a DBID and User ID.
- On your Entity Registration Confirmation page, select Link to an MFA service.
- On the next page, select Sign in with ID.me unless you have a PIV card or CAC.
- If you have one of those credentials, select PIV/CAC then follow the instructions to register it.
- On the ID.me sign in page:
- If you have an ID.me account, sign in and follow the instructions to link it to your NPDB user account.
- If you do not have an ID.me account, select "Create an account" and follow the instructions.
- After your account is linked, you will use MFA to sign in to your NPDB user account.
Visit ID.me Exit Image to review methods and options for setting up MFA.
Q&As
- What is MFA?
Multi-factor authentication, or MFA, is an authentication method that requires users to provide two or more verification factors to gain access to a resource such as an NPDB user account. MFA is a core component of a strong identity and access management policy.
MFA requires something you know, such as a password, and something you have, like a mobile phone, for authentication. It is a more secure login method, so frequent password changes are not necessary.
- What is ID.me Exit Image?
ID.me is certified against federal standards to provide secure login and identity verification. ID.me provides a method for users to verify their identity and protect security with information systems, such as the NPDB. The ID.me secure digital identity network has over 100 million members with over 60,000 individuals joining daily, as well as partnerships with 30+ states, multiple federal agencies, and over 500 name brand retailers.
- What is XMS?
XMS is the Department of Health and Human Services' External User Management System, which administers MFA for the NPDB.
- Should I use my existing ID.me account to enable MFA with the NPDB?
Yes. You must use your existing ID.me account to link with your NPDB account.
- Can I create a separate ID.me account if I already have one?
No. You can only have one ID.me account.
- What email address should I use for my ID.me account?
Use your personal email address for your ID.me account. However, you may also add a secondary email address Exit Image in case you lose access to your primary email.
- What if I use a credentialing software (QRXS) to access the NPDB?
To use MFA, you will need to create a separate QRXS password for your data transmissions. The QRXS password expires every 180 days. You will only use MFA to sign in to your account through the secure NPDB website.
- Will I still be able to use my NPDB user ID and password to sign in?
No. If you have enabled MFA, you must use MFA to sign in. If you have not enabled MFA, you will sign in with your DBID, user ID, and password. However, you must then enable MFA in order to access your NPDB account.
- Do I have to change my NPDB password if my account is linked to use MFA?
No, once you have enabled MFA, you will no longer have an NPDB password.
- I received an XMS-3208: User Management Error when I signed in with my ID.me account. What should I do?
The 3208 error may be an indicator that you have created an account with XMS through a different MFA service. Use this help article Exit Image to add ID.me to your profile. If you continue to receive an error when logging in with MFA, please contact us.