Your insurance renewal lands on your desk. Buried in clause 14 is a Cyber Essentials clause you skimmed last year.
This year, the rules have changed. Multi-factor authentication for business UK firms is now required on every internet-facing cloud account.
Partial MFA on email is no longer enough. Every cloud app your team logs into is in scope.
This guide gives you the exact 7-step rollout we use with London and Kent SMEs. You will finish reading with a clear path to compliance and zero guesswork.
What Cyber Essentials Now Requires for MFA
Cyber Essentials requires multi-factor authentication on all internet-facing user accounts and cloud services. Approved methods include authenticator apps, hardware security keys, biometrics, and managed device authentication. SMS codes are permitted but no longer treated as best practice by IASME or the NCSC.
What changed in the 2025 update
The scheme was updated by IASME, the body that runs Cyber Essentials for the NCSC. The change widened MFA scope to cover all cloud services, not just admin accounts.
That means Microsoft 365, Google Workspace, Xero, HubSpot, Dropbox, and any other internet-facing tool your team uses. Every standard user account now needs a second factor.
Why MFA matters in 2026
Credential-based attacks remain the top route into UK businesses. According to the Verizon Data Breach Investigations Report, stolen credentials drive a large share of confirmed breaches.
MFA blocks the vast majority of these attacks. Microsoft has reported that account compromise rates fall by over 99% once MFA is enabled.
Multi-Factor Authentication for Business UK: The 7-Step Rollout Plan
This is the sequence our engineers use on client rollouts. Most SMEs complete it in two to six weeks.
- Audit every cloud app your team uses
- Choose your MFA methods and set a default
- Lock down admin and break-glass accounts first
- Configure MFA in Microsoft 365 or Google Workspace
- Roll out to the wider cloud app estate
- Communicate, pilot, then enforce
- Document, test, and maintain
Step 1: Audit every cloud app your team uses
Scope discovery is where most DIY rollouts fail. Shadow IT hides everywhere.
A typical 25-person SME uses between 18 and 35 cloud apps. Many of them sit outside any IT inventory.
Pull data from three sources to build a real list:
- Single sign-on logs, if you have SSO in place
- The last six months of expense and card statements
- A short staff survey asking what tools they use daily
For each app, record the user count, the admin owner, and whether MFA is supported. This audit becomes your rollout backlog.
Step 2: Choose your MFA methods and set a default
Pick a default method that fits how your team works. For most UK SMEs, an authenticator app is the right starting point.
Use this hierarchy when making the choice:
| Method | Phishing-resistant? | Cyber Essentials compliant? | Best for |
|---|---|---|---|
| Passkeys / FIDO2 keys | Yes | Yes | Admins, finance, directors |
| Authenticator app | Largely yes | Yes | Most staff, default choice |
| Biometrics on managed device | Yes | Yes | Field staff, laptops |
| SMS one-time code | No | Permitted, not recommended | Fallback only |
SMS is acceptable as a fallback for staff who cannot install an app. It is not strong enough for admins or finance roles.
First-hand tip: BYOD pushback is the most common blocker we see. Set out a written policy before enforcement so staff know what is required and why.
Step 3: Lock down admin and break-glass accounts first
Admin accounts are the highest-value target for attackers. Secure them before you touch a single end user.
Three actions to take this week:
- Issue hardware security keys to every global or super admin
- Create two break-glass accounts with strong unique passwords
- Store break-glass credentials in a sealed envelope or physical safe
Apply Conditional Access in Microsoft 365 Business Premium to require strong authentication for all admin sign-ins. Google Workspace customers should enforce security keys for admins under context-aware access.
Ask yourself one question. If your only global admin loses their phone at 6pm on a Friday, can your business still operate on Monday?
Step 4: Configure MFA in Microsoft 365 or Google Workspace
Your core productivity platform is the biggest single win. Most user accounts and most data sit here.
Microsoft 365 customers
Security Defaults will switch MFA on for every user in minutes. It is the right choice for businesses under 25 staff.
Conditional Access policies give you finer control. You can require MFA only on risky sign-ins, exempt trusted office IPs, and enforce stronger methods for admins.
Google Workspace customers
Enforce 2-Step Verification across the organisation. Add security keys for admins and use context-aware access for sensitive apps.
Export your sign-in logs after enforcement. Your Cyber Essentials assessor will want evidence that MFA is active across all users.
Step 5: Roll out to the wider cloud app estate
This is where rollouts stall. You have 20 other apps to configure, each with its own admin console.
Sequence them by risk, not by ease:
- Finance tools first, such as Xero, QuickBooks, and Sage
- HR and payroll platforms next
- CRM and customer data tools after that
- File storage and collaboration tools last
Some older apps will not support modern MFA. Document the exception, restrict access, and plan a replacement.
Larger SMEs should consider single sign-on. Pushing 30 apps behind one identity provider cuts both compliance work and admin time.
Step 6: Communicate, pilot, then enforce
MFA rollouts fail on the human side more often than the technical side. Plan the comms before the enforcement date.
- Select a pilot group of five to ten users, including volunteers and skeptics
- Send a clear email explaining what is changing, when, and why
- Run a 20-minute live setup session for anyone uncertain
- Set a help desk window for the first 48 hours after enforcement
Never enforce on a Friday afternoon. You will spend the weekend resetting accounts.
Step 7: Document, test, and maintain
Compliance is not a one-off project. Your assessor will ask for evidence at certification and again at renewal.
Build a simple evidence pack containing:
- Your written MFA policy and acceptable methods
- Screenshots showing enforcement in M365 or Google Workspace
- An exception register for apps without modern MFA
- A break-glass test log, reviewed at least once a year
Review the cloud app inventory every quarter. New tools creep in fast, and each new app is a new gap.
How Long and How Much MFA Implementation Costs UK SMEs
A typical 25-seat UK business completes a full MFA rollout in around two weeks. A 100-seat business usually takes four to six weeks.
Costs break down into three areas:
- Licensing, such as upgrading from Microsoft 365 Business Standard to Business Premium for Conditional Access
- Hardware keys at around £25 to £50 each for admins and senior staff
- Engineer time, whether in-house or partner-led
Most SMEs can use the MFA built into their existing licences. The hidden cost of a DIY rollout is lockouts, downtime, and a missed certification deadline.
Common Mistakes That Fail the Cyber Essentials Assessment
Most failed assessments share the same five mistakes. Check your rollout against this list before submission.
- Forgetting shared mailboxes and service accounts
- Leaving the “remember this device” window set to 30 days or more
- Missing MFA on a legacy on-premise mail server or VPN
- No written documentation, even when MFA is configured correctly
- Allowing personal Microsoft or Google accounts on company devices
Each of these is fixable in under an hour. Catching them before the assessor does saves a costly resubmission.
When to Bring in a Partner for Your MFA Rollout
Some businesses are ready to handle MFA in-house. Others should not try.
Bring in a partner if any of these apply to you:
- You have no dedicated IT support
- You use more than 20 cloud apps
- Your last Cyber Essentials submission was rejected
- Your renewal deadline is under six weeks away
Speed of support matters most in the first 48 hours after enforcement, when lockouts happen. At GR.IT, 98% of our calls are answered in 15 seconds. When your finance director cannot log in on a Monday morning, that response time is the difference between a delayed payroll run and business as usual. Our Cyber Security services team has run this rollout across dozens of London and Kent SMEs.
Frequently Asked Questions
Is multi-factor authentication mandatory for Cyber Essentials in the UK?
Yes. Cyber Essentials requires MFA on all internet-facing user accounts and cloud services accessed from the internet. This covers Microsoft 365, Google Workspace, and any other business cloud apps. Both standard and admin accounts must have MFA enabled to pass certification.
Does SMS count as MFA for Cyber Essentials?
SMS one-time codes are permitted under Cyber Essentials but no longer recommended. SMS is vulnerable to SIM-swap and phishing attacks. Authenticator apps, hardware security keys, and passkeys are the preferred methods for UK businesses today.
How long does an MFA rollout take for a UK SME?
A 25-seat UK business can complete a full MFA rollout in around two weeks. That includes app discovery, configuration, pilot testing, and user comms. Larger SMEs of 100 seats usually take four to six weeks from scoping to enforcement.
What is the difference between MFA and 2FA?
2FA uses exactly two factors to verify identity, such as a password plus a code. MFA uses two or more factors and may include biometrics, hardware keys, or contextual signals like device or location. In practice, the terms are often used interchangeably.
How much does MFA implementation cost a UK SME?
MFA itself is free with most existing Microsoft 365 or Google Workspace licences. Extra costs come from optional upgrades such as Business Premium for Conditional Access, hardware keys at £25 to £50 each, and engineering time if you use a managed IT partner.
Get Your Cyber Essentials MFA Rollout Right First Time
Cyber Essentials has shifted from an annual form to an operational programme. Getting MFA right protects your data, your insurance position, and your client contracts.
A proper rollout takes weeks, not months, when the sequence is clear.
Ready to map your cloud app estate? Book a 30-minute Cyber Essentials readiness call with GR.IT. We will identify your gaps, give you a costed rollout plan, and pick up in 15 seconds when you need us. Visit our contact page or call our IT support team across London and Kent to start.
What cloud apps does your team use most? Tell us, and we will do the rest.
