Cyber Essentials MFA: Replace Weak 2FA with Phishing-Resistant Authentication
September 18, 2025 by Trenton Thurber
Executive Summary
Cyber Essentials v3.2 raises expectations: all cloud services must use MFA, with stronger methods recommended over SMS when available. Organisations should adopt phishing-resistant authentication to cut AiTM and push-fatigue risk, but there doesn’t need to be just one way to do it. You can satisfy CE while improving UX via either of two mature technologies:
FIDO2/WebAuthn passkeys, widely supported across browsers, OSs and modern IdPs.
WWPass, a passwordless, usernameless approach using the WWPass Key app and client-side crypto to remove usernames/passwords and enable strong MFA and SSO.
Bottom line: pick one, or run both where it makes sense. Cyber Essentials cares that MFA is enforced and robust, not that everyone uses the same brand of authenticator.
Plain-English Definitions
Cyber Essentials (CE) v3.2: UK scheme defining baseline controls. From 28 April 2025, all new assessments use v3.2. MFA is required for all cloud services, and SMS is explicitly not the most secure when stronger alternatives exist.
Phishing-resistant MFA: Stops credential forwarding (AiTM) and code interception. NCSC flags FIDO2 as phishing-resistant; other national authorities echo this.
Passkeys (FIDO2/WebAuthn): Origin-bound public-key credentials (platform or roaming) used via built-in OS support and security keys.
WWPass (aka WWPass Key): Passwordless login using the WWPass Key mobile app to scan or tap a dynamic QR code, establishing a cryptographically protected session without usernames or passwords. Supports recovery, MFA, and SSO.
Why “Weak 2FA” Fails, and Why Two Strong Alternatives Are Better
Attacks bypassing legacy 2FA: adversary-in-the-middle (AiTM) proxying, SIM-swap on SMS, and “push-bombing” user fatigue. NCSC and CISA push organisations toward phishing-resistant approaches to shut these down.
Two strong choices:
FIDO2/WebAuthn binds authentication to the real domain with public-key crypto, resisting AiTM and credential replay. It’s supported by major platforms and modern identity providers.
WWPass removes usernames/passwords entirely and uses a dynamic QR ceremony with client-side encryption, cutting both phishing surface and password lifecycle issues. It layers MFA signals (device + app PIN/biometric) and integrates with SSO.
NCSC & CE Guidance (What “Good” Looks Like)
CE v3.2: “Authentication to cloud services must always use MFA,” and SMS is not the most secure, use stronger alternatives when available.
NCSC “Recommended types of MFA”: FIDO2 offers guessing, phishing, and theft resistance and is appropriate broadly; other methods rank lower.
Testing & timelines: CE Plus test spec and 2025 changes confirm scope and assessment baselines.
Quick Comparison: Weak 2FA vs. Phishing-Resistant Options
| Area | Weak 2FA (SMS/OTP/Push) | FIDO2/WebAuthn Passkeys | WWPass (Passkey-implementation) |
| Phishing/AiTM | Codes can be proxied or stolen | Origin-bound crypto thwarts replay | No passwords; QR approach reduces phishing paths |
| SIM-swap risk | High for SMS | None | None |
| UX | Interruptive; push fatigue | Fast biometric/tap | Scan/tap QR with mobile app; no username/password |
| CE alignment | Compliant but discouraged if stronger exists | Strongly recommended by NCSC | Meets CE goal of strong MFA/passwordless |
| Coverage | Varies | Broad (OS/Browser/IdP support) | Broad via WWPass SSO/MFA platform |
Mapping CE MFA to Your Access Control Policy
Embed these anchors (adapted and expanded from your original guide):
Scope: Enforce MFA for all cloud services, admin, and internet-exposed accounts.
Preferred Methods: Mandate phishing-resistant options (choose FIDO2/WebAuthn or WWPass per system capability).
Enrollment & Recovery: Require at least two strong authenticators per user (e.g., platform passkey + security key or WWPass Key on two devices with recovery configured).
Admin Separation: Use dedicated admin accounts with strong MFA.
Federation First: Prefer IdP-centric enforcement; if not possible, enable MFA in-app.
Zero-Trust Alignment: Pair strong MFA with device and context checks. (Aligned with government playbooks.)
Architecture Patterns That Satisfy CE (and Reduce Risk)
IdP-Centric (Recommended): Enforce either FIDO2/WebAuthn or WWPass at your IdP (e.g., Azure AD/Entra, Okta, Ping) and federate apps via SAML/OIDC.
Non-Federated SaaS: Turn on the strongest available MFA in each service (FIDO2 where supported; WWPass SSO gateway where appropriate) and capture evidence.
Remote Access & Admin Consoles: Treat VPN/RDP/VDI as internet-exposed; prefer phishing-resistant methods.
Implementation Guide (Weeks 1–10)
Phase 1 (Weeks 1–2): Plan & Inventory
Update policy to prefer phishing-resistant MFA; note where FIDO2 or WWPass is feasible.
Inventory apps, map federation, and flag gaps.
Phase 2 (Weeks 2–4): Tenant Controls & Pilots
Enforce conditional access (MFA required).
Pilot FIDO2 passkeys with a subset of users and WWPass Key with another subset to evaluate UX and coverage.
Phase 3 (Weeks 4–8): Enrolment at Scale
- Roll out platform passkeys or distribute security keys; in parallel, deploy WWPass Key with recovery configured (email-based recovery + app PIN/biometric).
Phase 4 (Weeks 8–10): Close Gaps & Evidence
Address non-federated SaaS with in-app MFA or WWPass SSO.
Capture screenshots, logs, and admin-account separation proof for assessment.
Buyer’s Checklist (for RFPs/Vendors)
Supports phishing-resistant MFA: FIDO2/WebAuthn and/or WWPass.
Federation: SAML/OIDC with passkey or WWPass integrations.
Recovery & Resilience: Multiple authenticators per user; documented break-glass. (WWPass Key recovery process is app-guided.)
Zero-Trust Signals: Device and context aware policies.
Shared Responsibility: Clarify MFA enforcement for SaaS.
Policy Language You Can Copy
MFA Requirement: All cloud services, administrator accounts, and internet-exposed systems must enforce multi-factor authentication. The organisation prefers phishing-resistant methods and will implement either FIDO2/WebAuthn passkeys or WWPass where supported. SMS/email OTP may be used only as a documented fallback with compensating controls.
FAQs
Does Cyber Essentials mandate phishing-resistant MFA?
CE mandates MFA and advises stronger methods than SMS when alternatives are available. You can meet this using FIDO2/WebAuthn or WWPass.
Is FIDO2 the only “right” answer?
No, NCSC recommends FIDO2 highly, but CE’s goal is robust MFA. WWPass achieves passwordless, phishing-resistant outcomes via a different UX and crypto flow. Many estates benefit from running both.
What if some users can’t use security keys?
Use platform passkeys (Windows Hello, Touch ID) or deploy WWPass Key on managed mobiles; both avoid SMS.
How does WWPass recover if a phone is lost?
WWPass provides an app-driven recovery using the email set during setup plus the user’s WWPass Key PIN, streamlining business continuity.