You’ve probably come across the mention of MFA (multi factor authentication) and are most likely already using it to log into some services, for example online banking (banks were early adopters of this extra layer of security) but you might not be exactly sure what it is or indeed, if you need it.  The short answer is YES – if you are Cyber Essentials accredited you have to implement it by January 2023 (and that includes logging in to your website), if you are not Cyber Essentials accredited, then you should still do this as best practice and to add security.

What is Multi Factor Authentication (MFA)?

In simple terms multi factor authentication (MFA) adds a layer of extra protection for logging into accounts and is fast becoming the industry standard.

Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login or other transaction. Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.

To illustrate an example, to log into an online account, you would enter your password (first authentication), and then the system would send a text message to your mobile with a PIN (second authentication). Another common way to authenticate the second time is through an authenticator app like Google Authenticator, Microsoft Authenticator or Authy.

Cyber Essentials and MFA

Backed by government and industry, the Cyber Essentials scheme was launched in 2014 with the objective of helping organisations to protect themselves against a range of common cyberattacks.

It's important to be aware that the NCSC has now updated the Cyber Essentials requirements to and this now includes MFA

The MFA requirement will be marked for compliance from January 2023, which means that if your company is Cyber Essentials/Cyber Essentials Plus accredited, you have to implement MFA on all cloud services by January 2023 to stay complaint.

This includes access to your website when logging into the CMS.


If your company is Cyber Essentials accredited, you have to implement MFA on all cloud services by January 2023 to stay complaint, and that includes logging into the backend of your website.

What are the recent updates to Cyber Essentials?

Six areas of the scheme have been updated and are some of the biggest changes we’ve seen since its initial launch. Key changes include the following.

1. Cloud services
All cloud services used by the company are now in scope.

2. Multi-factor authentication (MFA)
Cyber Essentials states that multi-factor authentication (MFA) should be used to provide an extra layer of protection to admin accounts when the user is connecting to any cloud service. The MFA password must be a minimum of eight characters. This will apply to all accounts in 2023.

3. Working from home
If your company has adopted a hybrid working model or if any of your employees ever work from home, any devices they use to access company information or services are in the remit for Cyber Essentials. 
Using a corporate VPN will transfer the boundary to the corporate firewall or virtual cloud firewall. A corporate VPN allows you to provide your employees access to a secure, end-to-end encrypted connection to any cloud resources included in your company’s network.

4. Smart devices
Any smartphone or tablet that is used to connect to your company’s data and services is now in scope of Cyber Essentials. This also applies whenever the user wishes to connect to the corporate network or via mobile internet 4G or 5G.
When unlocking any device, biometrics or a minimum six-character PIN must now be deployed.

5. Unsupported software
Any software that is utilised on any in scope device must be:
• licensed and supported
• removed from the device if it becomes unsupported, and
• removed from scope or segregated from the main network using a defined ‘sub-set’ to prevent any traffic to and from the internet
In addition, automatic updates must be enabled, and the user must update their device within 14 days of the release of any update.

6. Account separation
Separate accounts should only be used to perform administrative activities. By doing this, the account will remain separate from any risk that can be avoided such as emailing or web browsing.

  • 60 St Martin's Lane
  • Covent Garden
  • London
  • WC2N 4JS
  • T: 020 7379 3300
  • The Portway Centre
  • Old Sarum
  • Salisbury
  • SP4 6EB
  • T: 01722 335105

©Copyright Moore-Wilson Ltd 2024