What Is Multi-Factor Authentication (MFA) and Why Does My Business Need It?

Hardware security keys (FIDO2/WebAuthn) offer the highest security as they are phishing-resistant and cannot be intercepted remotely. Authenticator apps are the recommended standard for most businesses, providing strong protection without hardware costs. SMS-based codes are the weakest option due to SIM-swapping vulnerabilities, though they are still far better than no MFA. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025).

Yes. Since the 2023 scheme update, MFA is mandatory for all cloud service accounts and administrator accounts within the Cyber Essentials scope. Failure to implement MFA is one of the most common reasons for assessment failure. Cyber Essentials certified organisations are 92% less likely to claim on cyber insurance (IASME), and MFA is the single control most responsible for that reduced risk.

A phased rollout works best: start with administrator and privileged accounts, then extend to all users over two to three weeks with clear guidance and support. Use Conditional Access policies to enforce MFA based on risk — for example, requiring it for remote access or unfamiliar devices. BEC attacks increased 33% in 2025 (FBI IC3 Report), so prioritising email and financial system access for MFA enforcement yields the greatest security return.