Say goodbye to your password!

Written by Louise Ralston
Jan 23, 2026 - 4 minute read

Cyber Essentials mandates stronger authentication, including mandatory MFA, to combat sophisticated cyber threats. Learn how to meet evolving standards and prepare for a passwordless future.

Strong authentication has long been a cornerstone of good cybersecurity practice, but the expectations around it are rapidly changing. As attacks grow more sophisticated, it’s no longer sufficient to rely on old password practices. Cyber Essentials is evolving in response, placing greater emphasis on how organisations protect accounts.

For businesses looking to achieve or renew Cyber Essentials certification, then, the days of simple passwords and optional multi-factor authentication (MFA) are over. The standard is tightening and those who fail to adhere to it will lose out. But the right approach can ensure that strengthening authentication is neither complicated nor disruptive.

In this blog, we’ll discuss what Cyber Essentials now requires of organisations, how password policies fit into the picture and what the future of authentication looks like as passwordless login methods gain in popularity and purchase.

Cyber Essentials, passwords and changing expectations

Cyber Essentials has always required organisations to demonstrate that their accounts are well-managed and protected, but recent updates to the standard mean authentication methods and protection now plays a decisive role in determining whether an applicant passes or fails.

Weak passwords, reused credentials, lack of password policies, and a lack of MFA remain among the most common reasons why organisations fail to achieve certification. As online crime continues to increase, Cyber Essentials is clear that outdated authentication, and lack of the minimum basic security (e.g. MFA) poses a real and avoidable cybersecurity risk.

The scheme also recognises that cloud adoption, along with the rise of hybrid and remote working, has changed how users access systems. With more information stored online and accessible from anywhere, CE expects firms to have stronger controls in place to prevent unauthorised access. Password policies, while still relevant, therefore form one part of a bigger picture.

Multi-factor authentication: now a critical requirement

MFA/2FA/2SV (Multi-Factor, Second-Factor, 2-Step-Verification, all the same, just different names for the same thing) is no longer a mere nice-to-have under Cyber Essentials. Rather, it is mandatory for every cloud-based service that an organisation uses, where the service supports MFA, whether natively, or via a third-party with Single-Sign-On (SSO). On its own, a password is too easy to steal, guess or crack. Requiring a second factor drastically reduces the risk of accounts being compromised.

Currently, CE still allows organisations to use software that does not support MFA, provided there is no alternative way of enabling it. This is, however, a temporary concession. From next year, if a platform has MFA available but it isn’t turned on, the organisation in question will fail its Cyber Essentials assessment.

This has real implications for businesses using cheaper software tiers, such as entry-level application plans, that do not deliver MFA natively. These products might allow organisations to save money upfront, but they will cause issues in CE assessments and make certification more difficult to achieve, where the product must be upgraded to have native MFA available, or SSO support to deliver MFA

via another provider, such as Microsoft or Google, and generally therefore moving to more expensive enterprise type plans, with enterprise costs associated.

The upshot of all this is straightforward: choose software that supports MFA and avoid buying tools that fall short of basic security standards. As CE requirements continue to toughen, non-compliant platforms will quickly become unsustainable for organisations looking to get or remain certified.

What good password hygiene looks like

Even with MFA in place, password quality still matters. Cyber Essentials requires passwords to be at least eight characters long, but this is a minimum rather than a target. Longer, more complex passwords provide greater protection and are harder for attackers to crack. A mix of lowercase and uppercase letters, plus numbers and special characters remains the most effective type of password.

The National Cyber Security Centre (NCSC) often recommends using passphrases, such as three random words, to create lengthy yet memorable passwords. However, real-world testing has demonstrated that many of these combinations can be cracked within a few hours, especially when users choose predictable or thematically linked words. Longer, more varied phrases are harder to break, or indeed, chain your words, but use some special characters within the password phrase.

Password reuse is another persistent problem. When one system is breached, attackers will inevitably try to use the same credentials across multiple platforms. Educating staff on safe password habits and providing tools such as password managers can reduce risk and facilitate CE compliance.

Finally, enforcement also matters. Organisations must apply password policies consistently across all company devices and systems so that no part of the network is left exposed by weaker or legacy settings.

Moving towards passwordless authentication

There is a move away from passwords altogether; the NCSC is openly preparing for a passwordless future. Passkeys, hardware tokens and physical security keys such as YubiKeys offer far stronger protection than traditional credentials.

These methods of authentication are immune to phishing, resistant to interception and cannot be stolen through common attack techniques like keylogging or malware. This kind of authentication is known as “phish-resistant MFA”, a standard that outperforms text messaging and authentication apps.

Full passwordless authentication won’t happen overnight, but businesses should begin exploring these methods now, particularly for privileged or administrative accounts where any compromise would be especially damaging. Preparing early will make the transition easier and will also make future Cyber Essentials updates simpler to adhere to.

What this means for you

The direction of travel is unmistakable. Cyber Essentials is raising the bar – and authentication is becoming one of the most scrutinised areas of CE assessments. Organisations must stop relying on outdated systems that lack adequate security and adopt MFA as a matter of course.

Businesses that begin planning for a passwordless future now will be better protected and far more future-proof as the CE standard continues to evolve. Those who modernise today will thus find certification much smoother and more straightforward in the years ahead.

Is your business looking to attain or renew Cyber Essentials certification? Cyber Essentials is here to help. We work with businesses of all sizes to assist them get and remain certified. Get in touch with our expert team today for more information.

Topics: Cyber Essentials, Cyber Security, Passwords, 2MFA

author

More by Louise Ralston

Related articles
The NCSC Just Raised the Cyber Bar!

The NCSC is raising the cyber security bar. Discover why Cyber Essentials is no longer optional for UK businesses and their supply chains.

The Government Is Warning SMEs. Are You Listening?

Following the UK government’s call for stronger SME cyber security, Cyber Essentials is the most achievable way to reduce risk, fix key vulnerabilities and support supply chain resilience.

Cyber Essentials Unlocked — The Auditor’s Guide

Learn how to pass Cyber Essentials Plus first time. Our lead auditor explains common failures, key controls, and how to get CE+ ready in 2026.

Copyright © 2026 Cyber Tec Security
contact@cybertecsecurity.com

Cyber Tec Security is a company registered in Jersey. Registered number: 144690.
Registered office: Kensington Chambers, 46/50 Kensington Place, St Helier, Jersey JE1 1ET