<< BACK TO BLOG

5 July 2026

Cyber Essentials MFA Requirements: What Every UK Business Needs to Know

Multi-factor authentication is one of the most common reasons businesses fail Cyber Essentials. Here's exactly what MFA is required, where it applies, and how to get compliant.

Multi-factor authentication (MFA) — sometimes called two-factor authentication or 2FA — is one of the most frequently misunderstood requirements in Cyber Essentials v3.3. It is also one of the most common reasons businesses fail their assessment. This guide explains exactly what is required, where it applies, and the most common gaps we see in practice.

What Does Cyber Essentials Require for MFA?

Under Cyber Essentials v3.3 (the current standard as of April 2026), MFA is mandatory in two specific areas:

  1. 1.All cloud services accessible from the internet — including Microsoft 365, Google Workspace, Salesforce, Xero, AWS, Azure, and any other SaaS or cloud platform your business uses.
  2. 2.All remote access methods — including VPN connections, Remote Desktop (RDP), remote management tools, and any other way employees connect to company systems from outside the office.

This applies to ALL user accounts — not just administrators. This is a common misconception. If a standard employee can log into Microsoft 365 without MFA, your business will fail the assessment, regardless of whether admin accounts are protected.

What Counts as MFA?

Cyber Essentials accepts several forms of MFA as compliant:

  • -Authenticator app (e.g. Microsoft Authenticator, Google Authenticator, Authy) — the most common and recommended method.
  • -Hardware security key (e.g. YubiKey) — the most secure option, often used by IT administrators.
  • -SMS one-time code — accepted under CE, though considered less secure than an authenticator app.
  • -Push notification approval via a registered app.

Email-based one-time codes do NOT count as MFA for Cyber Essentials purposes, since email itself may be the account being accessed.

Common MFA Gaps We See

In our pre-checks, these are the MFA gaps that come up most frequently:

  • -MFA enabled for admins only — standard user accounts are left without it.
  • -MFA not enforced via Conditional Access — users can bypass it by connecting from certain locations or devices.
  • -Legacy authentication protocols not blocked — older Microsoft 365 protocols (SMTP, IMAP, POP3) can bypass MFA entirely.
  • -Third-party SaaS tools overlooked — the main M365 or Google login has MFA, but connected apps like Xero, Slack, or Zoom do not.
  • -VPN without MFA — the VPN client accepts username and password only.

How to Enable MFA for Microsoft 365

For Microsoft 365, the recommended approach is to use Azure AD Conditional Access (available on Microsoft 365 Business Premium or higher) to require MFA for all sign-ins. For smaller plans without Conditional Access, enable Security Defaults in the Azure AD portal — this enforces MFA for all users and blocks legacy authentication.

Is Your MFA Set Up Correctly?

Our free pre-check includes specific questions about MFA across cloud services and remote access. If you answer any of them as PARTIAL or NO, we'll flag the exact gap and tell you how to fix it. Book a free 30-minute call and we'll review your MFA configuration with you.

// TAKE THE NEXT STEP

CHECK YOUR READINESS — FREE

Our RADAR_CHECK questionnaire takes 10 minutes. Book a free 30-minute call and we'll walk you through your results and tell you exactly what to fix.

START FREE CHECK >>