top of page
Search

Multi-Factor Authentication (MFA) and Cyber Essentials: Why Partial Deployment Is Not Sufficient


Multi-factor authentication (MFA) is a mandatory control within Cyber Essentials when using cloud services. One of the most common reasons organisations fail their Cyber Essentials assessment is incomplete or selective deployment of MFA.


This article is based on the National Cyber Security Centre (NCSC) guidance Multi-factor authentication for your corporate online services. It explains what is required, why it is required, and why Cyber Essentials controls are not met if MFA is not applied correctly and universally.

If you are completing a Cyber Essentials self-assessment, or responding to assessor feedback, this article should be treated as a baseline reference.



The Core Cyber Essentials Rule on MFA

Under Cyber Essentials:

If a cloud service supports MFA, it must be enabled for all user accounts and all administrator accounts.

This includes:

  • Standard user accounts

  • Privileged or administrator accounts

  • Accounts used for remote access

  • Accounts accessing data or services over the internet


Partial rollout or selective application is not acceptable.If MFA is available but not enforced universally, Cyber Essentials requirements are not met.

For further context, see the NCSC guidance on why MFA matters.


1. Why MFA Matters

Passwords alone are no longer sufficient to protect cloud services. Credential theft via phishing, malware, or password reuse remains a leading cause of compromise. MFA protects accounts by requiring:

  • Something the user knows (password), and

  • Something the user has or is (authenticator app, hardware token, biometrics)


Cyber Essentials aligns with this guidance. If MFA is not enforced across all eligible accounts, attackers can compromise a single unprotected account, violating Cyber Essentials requirements.See Why MFA Matters for more detail.


2. Recommended Types of MFA

The NCSC identifies different strengths of MFA and recommends adopting the strongest available methods:

  • Authenticator apps (time-based one-time passwords)

  • Hardware security keys (FIDO2/WebAuthn)

  • Push notifications with number matching

  • SMS or voice codes (weaker, but still MFA)


Cyber Essentials requires that any supported MFA method must be implemented for all accounts. For a detailed breakdown, see Recommended types of MFA.


3. Mandatory MFA for Sensitive and Administrator Accounts

The NCSC guidance emphasises that MFA must be enforced for sensitive accounts and administrator accounts. Cyber Essentials is explicit:

  • All administrator accounts must have MFA enabled

  • All accounts that can access sensitive data must have MFA enabled

  • Emergency accounts or break-glass accounts must also use MFA


Failing to apply MFA universally results in non-compliance. Reference: Mandating strong MFA for access to sensitive data.


4. Trust in Devices

Some organisations rely on “trusted devices” or domain-joined computers instead of MFA. The NCSC clarifies:

Device trust complements MFA – it does not replace it.

For operational guidance on establishing trust without bypassing MFA requirements, see Gaining trust in devices.


5. Choosing Online Services with the Right Authentication

When selecting cloud services, organisations must ensure MFA is supported and enforced. If a service supports MFA, it must be enabled for all users; if not, the absence must be documented.


6. Avoiding MFA Anti-Patterns

The NCSC highlights common MFA anti-patterns that do not satisfy Cyber Essentials:

  • MFA only for administrators or remote users

  • Optional MFA for standard users

  • Knowledge-based second factors

  • IP restrictions or device recognition alone

See Avoiding MFA anti-patterns for more information.


7. Implementation and Operational Considerations

Successful MFA implementation requires careful planning and ongoing management:

  1. Inventory all systems and cloud services

  2. Enforce MFA via identity providers where possible

  3. Document any exceptions clearly

  4. Train users on MFA usage and recovery

  5. Monitor and review for anomalies

Full operational guidance can be found in Implementation and operational considerations.


Key Takeaways: MFA and Cyber Essentials Compliance

  • MFA must be enabled wherever a cloud service supports it

  • MFA must apply to all users and all administrators

  • Partial deployment does not meet Cyber Essentials requirements

  • Exceptions or delayed rollouts do not remove the compliance obligation


For further reading, the full NCSC collection is available here: Multi-factor authentication for your corporate online services.


If MFA is not applied correctly across all accounts, Cyber Essentials controls are not met, and the assessment will result in non-compliance.

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page