Is 2FA effective & do I need it for Cyber Essentials?

Is 2FA effective & do I need it for Cyber Essentials?

One of the less talked about requirements in order to become Cyber Essentials certified is that, where available, all administrator accounts must be protected by Two Factor Authentication.

How does it work?

Two Factor Authentication (2FA) works by adding an extra layer login credential beyond the typical username and password, often through the use of one time use codes sent via SMS, email, or authenticator apps, an example being Google Authenticator.

But is it effective?

The simple answer is yes, extremely. Microsoft conducted a report in 2019 which shows that users who enable Multi-factor Authentication on their accounts block 99.9% of all automated attacks. Google have also recently stated that adding a recovery phone number to any Google account can block 100% of automated attacks, and 99% of phishing attacks.

Do you need it to achieve Cyber Essentials Certification?

Cyber Essentials requires 2FA on all administrative accounts where available in order to protect accounts and ultimately your organisation from someone gaining access at administrative level, and potentially accessing sensitive data and causing more damage.

If it’s not something that can be implemented within your organisation, not to worry, although we strongly recommend 2FA to be used wherever possible, Cyber Essentials recognises that some systems and software do not currently support it, and therefore you can still become Cyber Essentials certified.

Contact Bruce & Butler today for more information on Two Factor Authentication and how to start your journey to Cyber Essentials certification.


Luke Green
Cyber Security Advisor