NPPES Login Help: I&A Account, Password Reset, and Lockout Solutions
NPPES login is managed through the I&A System (Identity and Access Management), not NPPES itself. If you cannot log in: use the FORGOT USER ID or PASSWORD? link on the NPPES login page to reset credentials through I&A. If your account is locked after three failed attempts, call the NPI Enumerator at 1-800-465-3203. If your MFA code is failing, log into I&A and select Reset/Unlock MFA.[1]
NPPES and PECOS both use a single shared login system called the I&A System. Understanding how that system works prevents most login failures, because the issue is almost never with NPPES or PECOS themselves. It is with the I&A account that gates access to both. This guide covers every common login scenario and where to go when self-service is not enough.
What the I&A System Is
The Identity and Access Management System (I&A) is CMS's centralized account management gateway. It controls who can log into NPPES, PECOS, and several other CMS provider portals. When you log into NPPES at nppes.cms.hhs.gov, you are actually authenticating through I&A first.[1]
Your I&A account holds:
- Your user ID (cannot be changed)
- Your password (must be changed every 60 days for PECOS access)
- Your MFA method and contact information
- Your access permissions (which NPIs or organizations you can manage)
- Any Surrogate or Staff End User relationships you have established
Because one I&A account controls access to multiple CMS systems, a problem with I&A credentials will block you from both NPPES and PECOS simultaneously. The solution is always to resolve the credential issue in I&A, not to try logging into NPPES through a different path.
The Correct Login URL
Always access NPPES directly at https://nppes.cms.hhs.gov. Do not use links from emails you did not request or third-party sites. CMS will never ask for your I&A credentials through an email link. Verify the URL and the cms.hhs.gov domain before entering any login information.
Common Login Problems and Solutions
Select the problem that matches your situation. Each card walks through the official resolution steps.
On the NPPES login page, select the FORGOT USER ID or PASSWORD? link. This redirects you to the I&A System where you can recover your user ID or reset your password by verifying through your MFA method.[1]
If you no longer have access to the email address or phone number associated with your I&A account, you cannot complete the self-service reset. In that case, call the NPI Enumerator at 1-800-465-3203 for assisted recovery.
If you enter an incorrect user ID and password combination three times, your I&A account is locked. You cannot unlock it through the self-service password reset process. You must call the NPI Enumerator at 1-800-465-3203 to have your account manually unlocked.[1]
Before calling, have the following ready to verify your identity:
- Your NPI number
- Your legal name as it appears on the NPI record
- The email address associated with your I&A account
Log into the I&A System at nppes.cms.hhs.gov/IAWeb and select the Reset/Unlock MFA link. This walks you through the process to either reset your MFA method (if you lost access to it) or unlock a locked MFA.[1]
MFA code expiration windows to keep in mind:
- SMS and voice codes expire after 5 minutes
- Email codes expire after 15 minutes
If your code expired before you entered it, request a new one. Do not try to reuse an expired code, as this may count against your attempt limit.
If you log in successfully but do not see the NPI providers you expect to manage, check your I&A account to confirm you have been assigned the appropriate access for those NPIs. This is an access permissions issue, not a login problem.[1]
Common causes:
- The provider's Authorized Official has not yet added you as a Surrogate or Staff End User
- You are logged into a personal I&A account rather than the one linked to the organization
- The surrogacy connection was established in I&A but has not been confirmed by both parties
Ask the Authorized Official for the provider or organization to review your access in I&A and confirm your Surrogate or Staff End User relationship.
PECOS requires your I&A password to be changed every 60 days. If you attempt to log into PECOS with an expired password, the system automatically redirects you to the I&A System to reset it. This is expected behavior and is not a sign that your account was compromised.[2]
The I&A System displays a countdown to expiration when you log in. Do not wait for the expiration to trigger the redirect; change your password proactively before it expires. NPPES itself does not enforce the 60-day password rule, so a password that has stopped working for PECOS may still work for NPPES temporarily.
Multi-Factor Authentication (MFA)
MFA is required for all I&A accounts. New users complete MFA setup during account creation. Existing users who have not yet enrolled in MFA will be prompted on their next login.[1]
Three MFA methods are supported:
CMS recommends setting up two methods (for example, SMS and email) as a backup in case one becomes unavailable. You cannot use the same method type twice. If you set up both SMS and voice, they must use the same phone number.
SMS and voice MFA are not supported for international phone numbers. If you are outside the United States, select email as your MFA method during setup.[1]
MFA and private vs. public devices
How MFA behaves after a successful login depends on whether you are on a private or public device:[1]
- Private device: NPPES installs a cookie that lets you bypass MFA for 24 hours after a successful login. However, the session still times out after 15 minutes of inactivity. If you return within 24 hours and your session has timed out, you can log back in without completing MFA again until the 24-hour cookie expires.
- Public device: No MFA bypass cookie is installed. When the session times out, your MFA authentication also expires. Every new session on a public device requires a full MFA code.
The 15-Minute Timeout
NPPES logs you out automatically after 15 minutes of inactivity. This applies to both NPPES and PECOS since both share the same I&A session. The timeout exists as a security control and cannot be extended.[1]
The most common consequence: starting to fill out an NPI application or update, stepping away for more than 15 minutes, and returning to find the session expired and work lost. To avoid this:
- Gather all required information before you log in, not during the session.
- For NPI applications, use the NPPES FAQ and our NPI application guide to prepare your data in advance.
- For PECOS enrollments, use our PECOS enrollment checklist before starting a session.
- Keep your information in a document you can copy-paste from quickly if needed.
PECOS Passwords Expire Every 60 Days
NPPES and PECOS share the same I&A credentials but enforce the password policy differently. PECOS specifically requires an I&A password change every 60 days. The I&A System countdown timer tells you how many days remain. If the password expires, PECOS redirects you to I&A to reset it before you can proceed.[2]
Best practice is to change your I&A password every 55 to 58 days rather than waiting for the expiration. This prevents being locked out of PECOS at an inconvenient moment, such as during a revalidation deadline window.
If your I&A password expires during a revalidation window or while you are responding to a MAC information request, you will not be able to submit until the password is reset. Given that missed revalidation deadlines can result in payment holds, keeping the password current is an operational priority, not just a security recommendation.
Shared Logins and Surrogacy
Each I&A account must be used only by the person it belongs to. Sharing login credentials is not permitted and creates both security risks and MFA complications, since MFA codes are sent to the account holder's phone or email.[1]
When office staff or credentialing teams need to manage NPI records or PECOS enrollments on a provider's behalf, the correct approach is surrogacy:
- Individual providers can authorize Surrogates and Staff End Users (SEUs) through their I&A account. Each gets their own I&A credentials.
- Organizational providers must designate an Authorized Official (AO) first, who then authorizes Access Managers, Surrogates, and SEUs.
- The AO is the only person who can authorize additional users and is the only person with authority to make initial enrollment changes on behalf of the organization.
Setting up surrogacy is a separate process from managing NPI records. Refer to the I&A Quick Reference Guide at nppes.cms.hhs.gov for step-by-step surrogacy setup instructions.
Browser Requirements
NPPES is most compatible with the latest versions of Google Chrome and Microsoft Edge. Cookies must be enabled; they are used for secure login and do not store personal information. The 24-hour MFA bypass cookie described above also requires cookies to be enabled.[1]
If you experience display or functionality issues in NPPES, try switching to Chrome or Edge before calling the help desk. Many reported login problems clear up with a browser switch or after clearing the browser cache.
Who to Call for What
Routing your question to the right contact saves time. The NPPES help system and PECOS technical support are separate from each other and from your MAC.
| Your problem | Who to contact |
|---|---|
| Forgot NPPES user ID or password | Self-service: FORGOT USER ID or PASSWORD? link on NPPES login page |
| Account locked after three failed attempts | NPI Enumerator: 1-800-465-3203 (TTY: 1-800-692-2326) |
| MFA locked or lost access to MFA method | Self-service: Reset/Unlock MFA link at nppes.cms.hhs.gov/IAWeb |
| PECOS password expired or redirecting to I&A | Self-service: reset at nppes.cms.hhs.gov/IAWeb |
| Technical errors or system issues in NPPES or PECOS | CMS External User Services (EUS) Help Desk: 1-866-484-8049 Mon–Fri, 7 am–7 pm ET |
| Questions about NPI application or updates | NPI Enumerator: 1-800-465-3203 or [email protected] |
| Medicare enrollment questions in PECOS | Your MAC (find at cms.gov/MAC-info) |
| Not sure who to call | CMS Provider Enrollment Assistance Guide at cms.gov |
Frequently Asked Questions
NPPES and I&A login questionsThe I&A System (Identity and Access Management System) is CMS's shared login gateway for NPPES, PECOS, and other CMS provider portals. You cannot log in to NPPES directly without an I&A account. The I&A System manages your user ID, password, MFA settings, and access permissions for all CMS provider systems. When you log into NPPES, you are authenticating through I&A first.
On the NPPES login page at nppes.cms.hhs.gov, select the FORGOT USER ID or PASSWORD? link. This redirects you to the I&A System where you can recover your user ID or reset your password by completing your MFA verification. If you no longer have access to the phone number or email address on your account, call the NPI Enumerator at 1-800-465-3203 for assisted recovery.
Accounts lock after three incorrect user ID and password attempts. You cannot unlock a locked account through self-service. You must call the NPI Enumerator at 1-800-465-3203 (TTY: 1-800-692-2326). They will verify your identity and manually unlock the account. Have your NPI number, legal name, and the email address on your I&A account ready when you call.
New users complete MFA setup during I&A account creation. Existing users who have not enrolled will be prompted on their next login. If you need to reset your MFA method because you lost access to your phone or email, log into the I&A System at nppes.cms.hhs.gov/IAWeb and select Reset/Unlock MFA. Three methods are supported: SMS text, voice call, and email. CMS recommends setting up two methods as backup.
NPPES times out after 15 minutes of inactivity as a security measure to prevent unauthorized access if you step away from your device. The timeout cannot be extended. On a private device, a cookie allows you to bypass MFA re-entry for 24 hours after login, but the 15-minute inactivity timeout still applies each time you restart the session. Gather all required information before logging in to avoid losing work mid-session.
No. Each I&A account must be used only by the person it belongs to. CMS explicitly states it is not recommended for any user to log into another person's I&A account. Office staff who need to manage NPI records on your behalf should be set up as Surrogates or Staff End Users with their own I&A credentials. This also ensures MFA codes go to the right person and that access can be revoked individually if a staff member leaves.
Looking up a provider's NPI does not require login.Search the full NPPES registry by name, NPI, specialty, or location with no account required.
Search the NPI RegistrySources
This guide is based on the following official government publications. NPI Profile summarizes official documentation for convenience; the source documents remain the authoritative reference.
- Centers for Medicare & Medicaid Services. NPPES Frequently Asked Questions. nppes.cms.hhs.gov. Account Access and I&A section: forgot credentials, three-strike lockout, MFA methods and timing, private vs. public device behavior, browser requirements, surrogacy and shared login policy, international user guidance.
- Centers for Medicare & Medicaid Services, Medicare Learning Network. Medicare Provider Enrollment (MLN9658742). 2026 edition. I&A System section: 60-day password expiration for PECOS, PECOS redirect behavior on expired passwords, EUS Help Desk contact information.
