Cyber Essentials Closes the MFA Loophole but Leaves some Organisations Adrift

The UK’s Cyber Essentials scheme has long been a baseline for cyber‑hygiene, especially for firms seeking government contracts. 3 upgrades multi‑factor authentication (MFA) from a recommendation to a binary pass‑or‑fail rule. Any cloud service used without enabled MFA now triggers an automatic failure, regardless of other controls. The National Cyber Security Centre (NCSC) views MFA as the most reliable defense against credential‑stuffing and phishing, and the change aims to raise the overall security of the public‑sector supply chain. The move also aligns the UK scheme with EU and US best practices that treat MFA as mandatory for high‑risk services.

The mandate collides with operational realities in sectors that rely on shared workstations or high‑turnover volunteers. A South‑East train operator must keep control‑room terminals ready for immediate use; token prompts could delay critical decisions. A nationwide charity staffing hundreds of high‑street shops with volunteers finds provisioning personal phones or authenticator apps costly and logistically hard. 2 by marking MFA non‑fatal. Without sector‑specific guidance, they now risk certification loss, threatening government contracts and essential revenue. Both organisations rely on Cyber Essentials to demonstrate due diligence, making the looming failure a strategic risk.

FIDO2 authentication, already proven in healthcare and retail, offers a practical workaround. NFC‑enabled badges with a short PIN deliver MFA in under two seconds, preserving speed for shared terminals while meeting the unique‑user requirement of Cyber Essentials. The scheme’s documentation merely acknowledges FIDO2 as acceptable, without detailing deployment for shift‑based or volunteer‑heavy operations. Closing this guidance gap would keep organizations compliant without diluting security standards, and case studies could accelerate cost‑effective adoption across the public‑sector supply chain. Industry bodies and certification auditors should publish step‑by‑step guides to accelerate rollout.