Why Cyber Essentials now requires Multi-Factor Authentication
Multi-factor authentication is one of the most effective ways UK businesses can strengthen everyday security. As cyber attacks become more targeted and credentials remain a common route into business systems, relying on passwords alone is no longer enough.
A strong MFA policy adds an extra layer of protection around the people, platforms and data your organisation depends on. It recognises a simple truth: security has to work with users, not against them.
The UK Government’s Cyber Security Breaches Survey of 2025/26 found that phishing remained the most prevalent type of breach recorded, affecting a sizable 38% of UK businesses. And a similar report from the ICO demonstrated how errors from people account for around 60% of global breaches. Perhaps most tellingly, Microsoft has found that more than an astonishing 99.9% of compromised accounts did not have MFA enabled.
It’s clear that stolen or misused credentials remain a major route into crucial business systems and data in 2026. All of which serves to show why Cyber Essentials requirements now place a high emphasis on MFA as a key factor in reducing risk.
Contents
Multi-factor authentication requires a user to verify their identity using more than one authentication factor before access is granted. A password is one factor. MFA adds another layer, usually by asking the user to confirm who they are with another verified device or process.
Common authentication factors include:
If a password is stolen, guessed or reused, the attacker would therefore still require the second factor before they can access the account.
Accounts without MFA are one of the most common issues we find during Cyber Essentials assessments at Cyber Tec. They also provide one of the simplest and quickest security gaps for attackers to exploit.
Essentially, if an account can sign in with just a password, it is worryingly exposed. Attackers will not waste time investigating what the account was originally created for, they just need it to get them into your entire business technology environment.
The most common MFA gaps are usually predictable and include:
Although MFA represents a relatively small control to be applied, it can become one of the largest cyber defences across your entire IT estate. However, it is also one of the most misunderstood by SME owners and business leaders.
The recent changes implemented for Cyber Essentials certification go a long way to offering clarity and practical steps to take for MFA requirements in 2026.
It would be fair to say that previous Cyber Essentials requirements for MFA had been open to a certain amount of interpretation and self-governance. Although it was marked as a requirement in earlier years, the 2026 update has tightened the rules with a particular emphasis on cloud services.
The practical message and language from IASME now offers clear guidelines to follow:
This is the strongest compliance point possible.
MFA is no longer simply recommended or required for cloud services, it is a certification-compromising necessity. It also highlights exactly how important MFA is in the protection of systems through robust authentication and how seriously it must be taken for SMEs.
For Cyber Essentials purposes, cloud services include any service accessed via an account that stores, processes or provides access to organisational data.
In the day-to-day running of an organisation this might include:
Our Cyber Essentials team at Cyber Tec often encounter client assumptions that cloud security is entirely the platform provider’s responsibility.
In reality, this may be one of the biggest takeaways from the changes so far. It is now abundantly clear that although the provider may operate the platform, the end-user client is liable for the strongest authentication possible.
This means every organisation must configure access securely, manage accounts and enable MFA where required, as standard.
Cyber Essentials has previously acknowledged that some devices or systems can’t be configured to meet every requirement as a result of vendor restrictions. Although the position for cloud services is clear, for non-cloud accounts the Cyber Essentials requires organisations to implement MFA ‘where it is available’.
This means any in-scope account that supports MFA should have it enabled with particular care applied to:
Administrative accounts should be afforded attention because they usually have greater access than standard user accounts. The Cyber Essentials requirements explain that privileged accounts should be used only for administrative activity, not for routine tasks such as email or web browsing. They also require organisations to remove or disable special access privileges when they are no longer needed.
The ‘where it is available’ wording is always to be taken as a serious requirement and not merely an optional suggestion
In any event where MFA genuinely cannot be enabled, organisations should act accordingly by:
Applying multi-factor authentication should never be treated as a box-ticking exercise. It may seem tempting to simply prove that MFA is present for Cyber Essentials certification, but the aim is always to make sure the method being used provides meaningful protection against the way attackers actually operate. There are occasions where a second layer of authentication can remain weak if the method is too easy to intercept, bypass or obtain through social engineering means.
Common MFA options include:
Each of these come with their own vulnerabilities that make them inappropriate for certain levels of risk. Understanding these can help define use case and guide towards the most resilient choice.
For higher-risk accounts, particularly administrator accounts, remote access accounts and cloud services, organisations should therefore consider stronger MFA options.
Stronger, phishing-resistant MFA methods are available to attend to these situations. They include:
A thorough review of what, where and why an MFA application has been chosen is always well advised as the National Cyber Security Centre are keen to detail. This can be part of a company-wide cultural approach to MFA that involves:
Organisations should choose an MFA that is proportionate to the account, the data it protects and the risk of compromise. For Cyber Essentials, that means enabling MFA wherever required and choosing the best available second factor for the systems that matter most.
The practicalities of meeting Cyber Essentials mean that MFA requirements should always begin with a full and structured review of user accounts and cloud services.
Our Cyber Tec Cyber Essentials MFA Checklist looks like this:
Uncovering any issues, obstacles or surprises for MFA as soon as possible will lay the foundations for the most successful Cyber Essentials certification process.
Navigating the MFA issues in Cyber Essentials can be a complex and time-consuming task. Cyber Tec helps clients work towards Cyber Essentials certification through tailored cybersecurity roadmaps that ensure the most practical security to protect key company information, data and assets.
Talk to us today about getting certified or to get support with your MFA implementation.
Yes. MFA is mandatory for cloud services where it is available.
Yes. Under the updated Cyber Essentials requirements, cloud services must use MFA, or the organisation may automatically fail the assessment.
For non-cloud accounts, the requirement is to implement MFA where it is available. This means organisations should enable MFA for in-scope accounts that support it.
Where MFA genuinely cannot be enabled because of vendor limitations, organisations should document the restriction, assess the risk and consider whether an alternative service is needed. However, this should not be treated as a general exemption where MFA is available.
SMS MFA is stronger than password-only access but is not the strongest option. Organisations should consider phishing-resistant MFA for higher-risk accounts, especially administrative accounts, cloud services and systems containing sensitive data.
Phishing-resistant MFA is authentication that is harder for attackers to bypass using phishing or social engineering. Examples may include hardware security keys, passkeys and other methods that do not rely on users entering one-time codes into potentially fake login pages.