Multi-Factor Authentication and Cyber Essentials Plus Requirements

Multi-factor authentication has become one of the most critical requirements in the Cyber Essentials Plus scheme. The NCSC's updated requirements place MFA at the centre of the user access control domain, reflecting the reality that passwords alone are no longer sufficient to protect organisational accounts from compromise. For organisations preparing for Cyber Essentials Plus certification, understanding exactly what MFA is required, where it must be applied, and which methods are acceptable is essential for passing the assessment.

This guide provides a comprehensive breakdown of the MFA requirements for Cyber Essentials Plus, including practical implementation guidance for the most common business platforms.

Why MFA Matters for Cyber Essentials Plus

Credential theft remains the single most common method attackers use to gain initial access to organisations. Phishing emails, credential stuffing attacks, and password database breaches provide attackers with username and password combinations that can be used to access cloud services, email accounts, and remote access systems. Without MFA, a compromised password gives an attacker unrestricted access to the associated account.

MFA adds an additional verification layer beyond the password. Even if an attacker obtains a user's password through phishing or a data breach, they cannot access the account without also possessing the second factor — typically a mobile device, hardware token, or biometric characteristic. This single control dramatically reduces the risk of account compromise.

The NCSC has recognised this by making MFA a central requirement of the Cyber Essentials scheme. The updated requirements specify where MFA must be deployed, what types of MFA are acceptable, and how it should be configured. For Cyber Essentials Plus assessments, the assessor will actively verify that MFA is not just available but is enforced across all applicable services.

Where MFA Must Be Applied

The Cyber Essentials scheme requires MFA for all cloud services and internet-facing services where it is available. This represents a broad requirement that covers the majority of modern business applications.

Cloud Services

Any cloud-based service that is accessible from the internet and supports MFA must have it enabled. This includes:

• Email platforms — Microsoft 365, Google Workspace, and any other cloud-hosted email service
• Collaboration tools — Microsoft Teams, Slack, Zoom, and similar platforms
• File storage and sharing — OneDrive, SharePoint, Google Drive, Dropbox
• CRM and business applications — Salesforce, HubSpot, and similar platforms
• Development and infrastructure — AWS, Azure, Google Cloud Platform, GitHub, GitLab
• Financial and accounting — Xero, QuickBooks Online, Sage cloud services

The key principle is straightforward: if a service is accessible from the internet and offers MFA as a feature, MFA must be turned on. The assessor will check a representative sample of your cloud services to verify compliance.

Administrator Accounts

MFA on administrative accounts is particularly critical. Any account with elevated privileges — global administrators, IT administrators, security administrators, and similar roles — must have MFA enforced without exception. The compromise of an administrative account gives an attacker control over the entire service, making MFA on these accounts the highest priority.

Remote Access Services

VPN gateways, remote desktop services, and any other mechanism that provides remote access to your internal network must be protected with MFA. With the widespread adoption of remote and hybrid working, these services are frequently targeted by attackers and represent a critical entry point into your organisation.

Social Media and Marketing Accounts

If your organisation manages social media accounts, marketing platforms, or other public-facing services, these should also have MFA enabled where supported. While these may not be the primary focus of the assessment, the assessor may ask about their protection, particularly if they represent a reputational risk.

Acceptable MFA Methods

Not all MFA methods provide the same level of security. The Cyber Essentials scheme accepts several methods, but the NCSC has expressed clear preferences for stronger approaches.

MFA Method	Security Level	CE+ Acceptable	NCSC Recommended
FIDO2 / Hardware security keys	Highest	Yes	Yes — preferred
Authenticator app (TOTP)	High	Yes	Yes
Push notification (e.g., Microsoft Authenticator)	High	Yes	Yes (with number matching)
SMS one-time codes	Moderate	Yes	Acceptable but not preferred
Email one-time codes	Lower	Yes (with caveats)	Not preferred

FIDO2 hardware security keys (such as YubiKeys) provide the strongest MFA protection. They are phishing-resistant because the cryptographic challenge-response is bound to the specific website domain, preventing man-in-the-middle attacks. The NCSC strongly recommends FIDO2 keys for high-value accounts, particularly administrator accounts.

Authenticator applications using time-based one-time passwords (TOTP) — such as Microsoft Authenticator, Google Authenticator, or Authy — are widely accepted and provide strong protection. They are the most common MFA method deployed in UK organisations and are straightforward to implement.

Push notifications from applications like Microsoft Authenticator offer convenience and good security. The NCSC recommends enabling number matching for push notifications, which requires the user to enter a number displayed on their screen rather than simply tapping approve. This prevents MFA fatigue attacks where attackers bombard users with push notifications hoping they will approve one accidentally.

SMS-based codes are accepted by the Cyber Essentials scheme but are considered less secure than app-based methods. SMS messages can be intercepted through SIM swapping attacks or mobile network vulnerabilities. The NCSC advises using SMS only as a fallback when stronger methods are not available.

Implementation Guide for Common Platforms

Microsoft 365

Microsoft 365 is the most common platform we encounter during Cyber Essentials Plus preparations. MFA can be enforced through several mechanisms:

Security Defaults is the simplest approach — it enables MFA for all users using Microsoft Authenticator or the Authenticator app. Security Defaults is suitable for smaller organisations with simple requirements.

Conditional Access policies provide more granular control, allowing you to require MFA based on specific conditions such as user location, device compliance, application sensitivity, or sign-in risk level. Conditional Access requires Azure AD Premium P1 licensing (included in Microsoft 365 Business Premium and above).

Whichever method you choose, ensure that MFA is enforced, not merely enabled. There is a critical difference: enabled means users are prompted to set up MFA but can skip it; enforced means they must complete MFA setup before accessing services. The assessor will verify that MFA cannot be bypassed.

Google Workspace

Google Workspace supports MFA through the Google Admin console. Navigate to Security > Authentication > 2-Step Verification and enable enforcement for your organisation. Google supports authenticator apps, Google Prompts (push notifications), FIDO2 security keys, and phone-based verification.

For enhanced security, enable Advanced Protection Programme for administrator accounts, which requires FIDO2 security keys and provides the strongest available protection.

VPN and Remote Access

The approach to MFA for VPN depends on your specific technology. Most enterprise VPN solutions support integration with MFA providers through RADIUS or SAML. Common approaches include integrating with Azure AD for cloud-based MFA, using Duo Security or RSA SecurID as a dedicated MFA provider, or deploying RADIUS-based MFA through open-source solutions like FreeRADIUS with Google Authenticator integration.

Common Implementation Challenges

Whilst the principle of MFA is straightforward, implementation can present practical challenges that organisations must address.

User resistance is the most common challenge. Some staff view MFA as an inconvenience and may resist its implementation. Clear communication about why MFA is necessary — framed in terms of protecting the organisation and their personal data — helps overcome resistance. Emphasise that MFA is a requirement, not an option.

Shared accounts present a specific difficulty. If multiple people share an account (which should be minimised), assigning MFA to an individual's device becomes problematic. The best solution is to eliminate shared accounts where possible, assigning individual accounts with appropriate access levels. Where shared accounts are unavoidable, consider FIDO2 hardware keys that can be physically shared.

Service accounts and API integrations often cannot support interactive MFA. For these accounts, use alternative security measures such as certificate-based authentication, IP address restrictions, or managed identities (in Azure/AWS environments). Document these exceptions clearly for the assessor.

Legacy applications that do not support modern authentication protocols may not be compatible with MFA. Where possible, upgrade or replace these applications. Where this is not feasible, implement compensating controls such as IP-based access restrictions and enhanced monitoring.

Preparing for Assessment

Before your Cyber Essentials Plus assessment, verify the following:

• MFA is enforced (not just enabled) on all cloud services
• All administrator accounts have MFA active with no exceptions
• VPN and remote access services require MFA
• The MFA method used is acceptable under the scheme (app-based, hardware key, or SMS)
• Number matching is enabled for push notification methods
• Users cannot bypass or skip MFA enrollment
• Break-glass accounts have MFA or alternative strong controls
• Shared accounts are documented with clear justification
• Service account exceptions are documented with compensating controls

The assessor will typically ask to see the MFA configuration in your admin console, verify that a sample of user accounts have MFA active, and may test that MFA is required when logging in from an unrecognised device or location.

Beyond Compliance: MFA Best Practices

Achieving compliance with Cyber Essentials Plus MFA requirements is the minimum standard. Organisations serious about security should consider additional measures.

Phishing-resistant MFA using FIDO2 security keys eliminates the risk of real-time phishing attacks that can bypass TOTP and push-based MFA. Consider deploying FIDO2 keys for all users, not just administrators.

Conditional access policies add intelligence to MFA decisions. Rather than requiring MFA for every login, conditional access can increase MFA requirements for risky sign-ins while reducing friction for trusted scenarios — for example, requiring MFA from new locations but not from known office networks.

Regular MFA auditing ensures that new accounts are enrolled, that disabled methods are not re-enabled, and that the overall MFA posture remains strong. Schedule quarterly reviews of your MFA configuration.

How Cloudswitched Can Help

At Cloudswitched, we help organisations implement and manage MFA across their entire technology estate. From initial deployment to ongoing management, our team ensures that your MFA implementation meets Cyber Essentials Plus requirements and provides genuine security protection.

We provide MFA strategy and planning, platform configuration for Microsoft 365, Google Workspace, and other services, user communication and training to support smooth rollout, and pre-assessment verification to confirm compliance before the formal Cyber Essentials Plus assessment.

Frequently Asked Questions

Is MFA required for every single cloud service?
MFA is required for all cloud services that are accessible from the internet and support MFA as a feature. If a service offers MFA capability, it must be enabled. Services that do not support MFA should be documented and alternative security controls considered.

Can I use SMS-based MFA for Cyber Essentials Plus?
Yes, SMS-based MFA is currently accepted by the Cyber Essentials scheme. However, the NCSC recommends using authenticator apps or hardware security keys as stronger alternatives. SMS should be used as a fallback rather than the primary method.

What about biometric authentication?
Biometric authentication (fingerprint, facial recognition) on a device is considered a form of MFA when combined with a password. Windows Hello for Business and Apple Face ID/Touch ID are acceptable as part of an MFA implementation when properly configured.

Do service accounts need MFA?
Service accounts that cannot support interactive MFA should be secured with alternative controls such as certificate authentication, IP restrictions, or managed identities. Document these exceptions and their compensating controls for the assessor.

How do I handle MFA for contractors and temporary staff?
Contractors and temporary staff who access your cloud services must use MFA on the same basis as permanent employees. Ensure your onboarding process includes MFA enrollment and that accounts are promptly disabled when the engagement ends.