No MFA on your admin login? That is the question Cyber Essentials asks first

Here's a scenario that plays out often enough to be a pattern, not a one-off: an accountancy firm's cloud accounting software gets accessed using a password leaked in an unrelated breach two years earlier. The same password, reused on the accounting platform, still works. There's no second check, no code sent to a phone, nothing standing between a leaked password and full access to client financial records. The firm only finds out when a client notices an invoice they didn't send.

Multi-factor authentication, MFA, is the single control that stops that scenario cold. It's also one of the most directly asked questions in a Cyber Essentials assessment, because it's one of the clearest indicators of whether a business takes access security seriously at all.

What MFA actually means in practice

Multi-factor authentication requires a second form of verification beyond a password before granting access, typically a code sent to a phone, a push notification to an authenticator app, or a physical security key. The principle is straightforward: a password alone proves you know something, but a second factor proves you also have something, like a specific device, making it far harder for someone with just a stolen password to get in.

Cyber Essentials' self-assessment asks directly: do you use multi-factor authentication on all internet-facing services? Internet-facing means anything accessible from outside your office network; email, cloud accounting software, your CRM, remote desktop access, anything reachable with just a username and password from anywhere in the world.

Why this question carries so much weight

Passwords leak constantly, not necessarily from your business directly, but from any of the dozens of other services your staff have accounts with. When people reuse passwords, which most people do despite knowing better, a breach at an entirely unrelated company can hand an attacker valid credentials for your systems. MFA is the control that makes a leaked password alone insufficient to get in.

This is also why Cyber Essentials treats it as close to non-negotiable. Most other controls reduce risk. MFA on internet-facing services closes off one of the most common and lowest-effort routes attackers actually use, which is simply trying leaked credentials against as many login pages as possible and seeing what works.

Where this connects to the rest of access control

MFA answers "can someone get in with just a password." It doesn't answer who has access in the first place, whether that access is appropriately scoped, or what happens when someone leaves. Those are separate questions, covered in our posts on keeping admin accounts separate from standard accounts and removing access immediately when staff leave. Cyber Essentials' CE3 User Access Control covers all of these together, because access security isn't one control, it's several working in combination.

How to actually roll this out

Start with the services that would cause the most damage if compromised: email, since it's often the recovery route into everything else, then financial software, cloud storage, and any remote access tools. Most major platforms, Microsoft 365, Google Workspace, Xero, QuickBooks, support MFA natively and it's usually a setting an admin can enforce account-wide rather than relying on individual staff to switch it on themselves.

Enforce it at the organisation level where the platform allows it. Leaving MFA as optional, available but not required, results in inconsistent adoption, and the one account someone didn't bother enabling it on is exactly the one that ends up compromised.

Frequently asked questions

Is MFA the same thing as two-factor authentication, or 2FA? They're effectively the same concept; 2FA is a subset of MFA using exactly two factors, while MFA is the broader term that can include more than two.

Which is more secure, SMS codes or an authenticator app? Authenticator apps and physical security keys are generally considered stronger than SMS, since SMS can be intercepted through SIM-swapping attacks, though SMS-based MFA is still meaningfully better than no MFA at all.

Do I need MFA on internal-only systems too, or just internet-facing ones? Cyber Essentials' specific requirement focuses on internet-facing services, but extending MFA to internal systems where practical is good additional practice.

What if a staff member loses their phone and can't access their authenticator app? Most platforms offer backup codes or an account recovery process for this scenario; it's worth setting these up in advance rather than discovering the process during an actual lockout.

Will assessors check every single account, or just ask if a policy exists? Assessors typically ask whether MFA is enforced as policy across internet-facing services and may sample specific accounts or systems to confirm it's actually applied, not just stated.

Run a free scan of your domain and your CE Readiness checklist will walk through this and the rest of CE3 User Access Control, ready before your assessor asks: olimpio.io/free-scan