Last updated on August 13, 2025
Cyber Essentials Plus is a UK government-backed scheme that helps organizations improve their cybersecurity. It allows businesses to demonstrate their commitment to protecting their data and systems. Cyber Essentials Plus is an extension of the Cyber Essentials scheme, which requires organizations to implement five basic technical controls: secure configuration, boundary firewalls, access control, patch management, and malware protection.
One of the main differences between Cyber Essentials and Cyber Essentials Plus is that the latter requires hands-on technical verification by an external auditor. This auditor will test the effectiveness of the implemented controls. Another difference is that Cyber Essentials Plus has more stringent requirements for multi-factor authentication (MFA). MFA is a method of verifying a user’s identity by using two or more factors, such as a password, a device, a token, or a biometric.
In this article, we will explain what MFA is, why it is important for Cyber Essentials certification, what are the specific requirements for MFA in Cyber Essentials Plus, and how Rublon MFA can help you meet those requirements and achieve certification.
What is MFA and Why is it Important?
MFA stands for multi-factor authentication, which means using two or more factors to verify a user’s identity before granting access to a system or service. The factors are usually classified into three categories:
- Something you know, typically a password, a PIN, or a security question
- Something you have, such as a smartphone, a tablet, or a physical FIDO token
- Something you are, such as a fingerprint, a face scan, or an iris scan
By using MFA, you can add an extra layer of security to your accounts and prevent unauthorized access in case your password is compromised or stolen. Phishing-Resistant MFA can also protect you from phishing attacks. Phishing scams are attempts to trick you into revealing your credentials or personal information by impersonating a legitimate entity.
MFA is crucial for protecting your most sensitive data and accounts, such as your primary email, your financial accounts, and your health records. It is also vital for protecting your administrative accounts and accounts that are accessible from the internet, such as VPNs, remote desktops, web portals, and more.
The National Cyber Security Centre (NCSC) recommends using MFA wherever possible and choosing the most secure and convenient option for your users and organization.
What are the Requirements for MFA in Cyber Essentials Plus?
According to the Cyber Essentials Plus scheme requirements document, organizations must:
- Implement MFA, where available. Authentication to cloud services must always use MFA
- Use MFA to provide additional protection to administrative accounts and accounts that are accessible from the internet
- Choose the password element of the MFA approach to have a length of at least 8 characters with no maximum length restrictions
- Choose the additional factor from one of the following options: a managed/enterprise device; an app on a trusted device; a physically separate token; or a known or trusted account
- Ensure that the additional factors are usable and accessible to the users
The requirements for MFA in Cyber Essentials Plus are designed to ensure that organizations have a robust and reliable authentication process that can prevent unauthorized access and data breaches. By implementing MFA in accordance with these requirements, companies can improve their security posture and achieve certification.
Not all MFA methods are created equal. Cyber Essentials Requirements for IT Infrastructure comments on that saying that whereas SMS authentication is better than no authentication, it is not considered secure. So, organizations should not use this method unless no other methods are available. This means that an ideal MFA provider should offer multiple authentication methods each organization can choose from according to their individual and unique requirements.
How Cyber Essentials Plus Differs from Cyber Essentials
Cyber Essentials and Cyber Essentials Plus are two levels of certification that demonstrate your organization’s cybersecurity posture. Cyber Essentials is a self-assessment scheme that requires you to answer a questionnaire and provide evidence of your compliance with five technical controls: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. But Cyber Essentials Plus is a more rigorous and comprehensive scheme that requires a hands-on technical audit of your systems by an experienced cybersecurity assessor. In addition to the five technical controls, Cyber Essentials Plus also covers email and web browser security, which are common attack vectors for cybercriminals.
How Rublon MFA Can Help You Achieve Cyber Essentials Plus Certification
One of the challenges that organizations face when implementing MFA is finding the right solution. It has to be easy to use, scalable, and compatible with their existing and future IT infrastructure. This is where Rublon MFA can help.
Rublon MFA is a cloud-based solution that provides strong authentication with a wide range of features, such as push notifications, SMS messages, FIDO security keys, a dedicated mobile app called Rublon Authenticator or a third-party authenticator such as Microsoft Authenticator or Google Authenticator, and more. It is also flexible and adaptable, as it can integrate with most major applications and platforms out of the box, and with custom applications with minimal IT involvement.
Rublon MFA can help organizations achieve Cyber Essentials Plus certification by:
- Providing MFA for cloud services such as Office 365, AWS, Azure AD, and more
- Providing MFA for administrative accounts and accounts that are accessible from the internet, such as VPNs, remote desktops, web portals, and more
- Securing all user accounts with MFA for top security
- Allowing users to choose their preferred additional factor from multiple options that can be limited by administrators if needed
- Ensuring that users have a fast and simple authentication experience with Rublon’s user-friendly interface and dashboard
- Allowing administrators to set access policies based on user groups and applications
- Allowing administrators to monitor and manage users, applications, and devices in a centralized Admin Console
- Providing world-class support and guidance for users and administrators
Start Free Rublon Trial Today
Want to try Rublon MFA yourself? Do it now and let it help you achieve Cyber Essentials Plus certification. Start a Free 30-Day Trial now:
