Skip to content
360 Cyber Compliance

Cyber Essentials · 1 July 2026

Cyber Essentials MFA requirements explained

Multi-factor authentication (MFA) is now a firm requirement of Cyber Essentials, and it is one of the single most effective defences against account compromise. This guide explains what the scheme expects, where MFA applies, and how to roll it out without disrupting your team. It sits under the wider user access control theme within the five controls.

What MFA is

MFA means proving who you are with more than one factor before you are granted access. The factors fall into three categories:

  • Something you know — a password or PIN.
  • Something you have — a phone with an authenticator app, or a hardware security key.
  • Something you are — a fingerprint or face scan.

A password alone is a single factor. Add a second, independent factor and a stolen password is no longer enough for an attacker to get in.

What Cyber Essentials requires

Cyber Essentials is a UK government-backed scheme delivered by IASME for the NCSC, and its requirements are specific: MFA must be applied to cloud services. In practice this covers the online services your organisation relies on, such as Microsoft 365, Google Workspace, cloud accounting, HR and rostering systems.

The key expectations are:

  • MFA is enabled for all users of a cloud service, not just some.
  • MFA is enabled for administrator accounts on cloud services, without exception.
  • The password element used alongside MFA still meets the scheme’s password requirements.

Because certification is a self-assessment verified by IASME and valid for 12 months, your answers must reflect MFA that is genuinely switched on across the services in your scope.

Where MFA applies

Service typeMFA expected?
Cloud email and productivity (e.g. Microsoft 365, Google Workspace)Yes
Cloud business applications (accounting, HR, rostering, CRM)Yes
Cloud administrator and management consolesYes, without exception
Remote access into your networkStrongly recommended, and often required by the same accounts

If a service holds organisational data in the cloud and supports MFA, you should assume it needs to be turned on.

Accepted MFA methods

Not all second factors are equally strong. In broad order of preference:

  1. Hardware security keys — the most robust option and highly resistant to phishing.
  2. Authenticator apps — a code or push notification generated on a phone; a strong, practical choice for most teams.
  3. SMS text codes — better than nothing, but more vulnerable to interception and SIM-swap attacks, so use it only where a stronger method is unavailable.

Wherever possible, steer users towards an authenticator app or a security key rather than relying on text messages.

Rolling out MFA smoothly

MFA fails in practice when it is introduced without support. A few steps make it far smoother:

  • Start with administrators. These accounts carry the most risk, so protect them first.
  • Communicate early. Explain why MFA is being introduced and what staff need to do.
  • Provide a fallback. Register more than one factor per user, or a backup method, so a lost phone does not lock someone out.
  • Use built-in policies. Microsoft 365 and Google Workspace both offer settings to enforce MFA across all users centrally.
  • Check coverage. Confirm no accounts have been excluded or exempted, as gaps here are a common reason applications fail — see our guide to the common reasons Cyber Essentials applications fail.

Common MFA mistakes

A few recurring errors catch organisations out:

  • Exempting administrators. Ironically, the highest-risk accounts are sometimes left without MFA “to save time”. These are exactly the accounts an attacker most wants, so they must be protected.
  • Partial coverage. Enabling MFA for some users but not others leaves gaps. The requirement is all users of a cloud service.
  • Overlooking a service. A finance or HR system quietly holding data in the cloud is easy to forget. Listing every cloud service you use is the first step to covering them all.
  • Relying only on SMS. Text codes are acceptable where nothing stronger is available, but they are the weakest option and should not be your default.

Passwords still matter

MFA is a second factor, not a replacement for a good first one. The password element used alongside MFA must still meet the scheme’s requirements — protecting against brute-force guessing, avoiding common passwords, and using reasonable length. Secure configuration and MFA together give each account two solid layers rather than leaning on one.

MFA and the wider controls

MFA does not stand alone. It works alongside limiting administrator rights, giving each person their own account, and removing access promptly when people leave. Combined with sensible secure configuration, it closes off the account-based attacks that firewalls and malware protection cannot.

If you progress to Cyber Essentials Plus, the independent technical audit will look at how access is protected in practice, so having MFA properly in place beforehand matters. For a fuller information-security framework, MFA is also a foundational requirement of IASME Cyber Assurance and ISO 27001. Any unfamiliar terms are defined in our glossary.

How we can help

We support organisations through Cyber Essentials with a clear, transparent delivery process, including practical help identifying every cloud service in scope and confirming MFA is switched on correctly across your users and administrators. If you would like support getting MFA right for your self-assessment, see our Cyber Essentials service or get in touch.

Need help in practice? See our Cyber Essentials service.

Need a hand with this?

Book a free, no-obligation readiness check.