MFA Mandatory from April 2026: Guide for UK SMEs

The change in plain English

From 28 April 2026, when Cyber Essentials moved to v3.3 (codename "Danzell"), multi-factor authentication became mandatory on every cloud-administrator account and every remote-access service for any organisation seeking certification. The wording in v3.3 is unambiguous: an applicant who cannot demonstrate MFA on those accounts cannot pass. SMS-based one-time codes were already discouraged in v3.2; in v3.3 they are explicitly removed from the list of acceptable second factors for new certifications.

This affects every UK SME bidding for public-sector contracts (where Cyber Essentials is required by Procurement Policy Note 014/21), every SME on a managed-service contract for a regulated buyer, and every SME whose insurance broker has tied cyber-cover pricing to a current Cyber Essentials certificate. Even outside the certified population, the change matters: NCSC guidance on MFA is the closest thing the UK has to a national authentication baseline, and insurers are quietly adopting the same baseline whether or not the customer is going for the certificate.

The reason for the change is well-documented. SIM-swap attacks on UK consumers and businesses doubled between 2022 and 2025; the National Crime Agency now treats them as one of the top-three vectors for SME account-takeover. SMS as a second factor is no longer "weak but acceptable", it is "actively exploited at scale". v3.3 reflects what NCSC sees in incident response, not a theoretical concern.

What counts as "good" MFA in 2026

The Cyber Essentials v3.3 requirements text accepts the following as a strong second factor (paired with a strong primary factor of either a long passphrase or a passwordless credential):

• ✓ TOTP authenticator apps. Google Authenticator, Microsoft Authenticator, Authy, 1Password, Bitwarden, any RFC 6238-compliant TOTP generator. Free, broadly-supported, and the easiest factor to roll out across a small team in a single afternoon.
• ✓ FIDO2 / U2F hardware security keys. YubiKey 5 series, Feitian, SoloKeys and any other FIDO2-certified token. The strongest factor on the market, immune to phishing because the key cryptographically binds the request to the origin domain. Recommended for every administrator account.
• ✓ Passkeys. Synced (Apple iCloud Keychain, Google Password Manager, Microsoft Authenticator, 1Password) or device-bound. Passkeys are explicitly listed in v3.3 as an acceptable replacement for the password+second-factor pattern entirely; they are both factors at once.
• ✓ Push-based authenticator apps with number matching. Microsoft Authenticator's number-match push and Duo's verified push are both acceptable. Plain "tap to approve" push, which is vulnerable to MFA fatigue attacks, is not recommended for new deployments.
• ✓ On-device biometrics (Windows Hello for Business, Touch ID, Face ID with secure enclave) combined with a possession factor (the device itself). Acceptable when the biometric template never leaves the device and the device is enrolled in your management system.

What does NOT count

The following are explicitly outside the v3.3 acceptable list:

• ✕ SMS one-time codes. SIM-swap risk. Removed for new certifications.
• ✕ Email-based codes. If your email is compromised, the attacker now has both factors.
• ✕ Voice-call OTP. Same risk profile as SMS, plus easier to social-engineer.
• ✕ Security questions. Knowledge factors are not factors at all in 2026; the answers are in everyone's data-breach history.
• ✕ Trusted-device "remember me for 30 days" alone. Acceptable as a UX optimisation on top of MFA, never as a replacement for it.

Implementation playbook for a 20-person SME (one working week)

Here is the rollout plan we recommend for a typical 20-person UK SME that has not yet enforced MFA across its admin estate. The plan assumes a five-day working week and one technical lead.

By Friday afternoon you have a fully MFA-enforced admin estate, evidence ready for assessment and a written process that survives staff churn. Total external spend for a 20-person SME: about £500 in hardware. Total internal effort: roughly five working days for the technical lead, plus 30 minutes per administrator.

Edge cases worth thinking about

A few situations come up often enough to flag explicitly:

• Founders who are also the technical lead. You are the highest-value account in the company. Use a hardware key, not just an authenticator app, and store a backup key in a fire safe or a bank deposit box.
• Shared customer-portal logins. If you use a vendor portal that does not support per-user logins (still depressingly common in UK B2B SaaS), document this as an exception, restrict access to a single named owner with MFA enabled on their session, and lobby the vendor for proper SSO. This is not a Cyber Essentials failure provided the exception is documented and managed.
• Contractors and offshore developers. Their cloud accounts count too. If a contractor needs admin access to your AWS account, they need MFA on that account. Do not exempt contractors from your MFA policy because they are "external"; that is precisely the threat surface that gets exploited.
• Recovery flow. Document what happens when an administrator loses a key on a Friday night before a Monday product launch. The answer is "second hardware key from the safe", not "phone the IT helpdesk on Monday".

How CrowAgent helps

CrowCyber surfaces every MFA-relevant question in the v3.3 self-assessment, asks you to confirm the enforcement state on each in-scope cloud service, and generates the assessor-ready evidence pack, including the screenshots, the policy text and the named-individual ownership matrix, automatically. When IASME publishes a new requirements release, CrowCyber updates the question wording within 14 days and ports your existing answers forward. You will not re-key an answer that already passed. CrowCyber is part of the CrowAgent platform alongside CrowAgent Core (MEES and property compliance) and CrowMark (PPN 002 social value), so one workspace covers cyber, property, and procurement compliance.