CYBER ESSENTIALS MYTHCONCEPTION 4: MFA Can Only Be SMS or Authenticator-based

This post in our series on Cyber Essentials, "Mythconceptions", tackles the misconception:

 

    "To comply with the new MFA requirements, we must use SMS or TOTP MFA codes."

 

MFA is now expected on all accounts, but not all services offer MFA, and some users cannot use SMS-based MFA or TOTP or Authenticator-based MFA. How can you comply with Cyber Essentials in these cases?

 

In our other MFA mythconception post, we covered the idea that if a service does not offer MFA, then Cyber Essentials does not require it for that service. However, there is still a need for strong account controls on those accounts and when there is a legitimate reason not to enable MFA for some users, due to disabilities, equipment or device limitations, or other reasons. Fortunately, the NCSC has provided MFA-equivalent options that provide strong account controls that can act in place of MFA for compliance purposes.

 

At least one of:

- 'Throttling' the rate of login attempts

  • This means the time the user must wait between attempts increases with each unsuccessful attempt.

  • This should permit no more than 10 guesses in 5 minutes.

- Locking accounts after no more than 10 unsuccessful attempts.

 

Plus at least one of:

- A minimum password length of at least 12 characters, with no maximum length restrictions

- A minimum password length of at least 8 characters, with no maximum length restrictions plus the use of automatic blocking of common passwords using a 'deny list'.

 

While these controls are not as strong as MFA, they are provided to offer reasonable options instead of MFA. It is good practice to use these account controls in addition to MFA.

 

Barrier's "Securely Compliant Tips" for MFA options

The following tips are offered as inspiration to help you devise a strategy for MFA in your organisation for compliance and beyond:

  1. CASB and SASE services can often add secure and compliant options for services and users that cannot use standard MFA.

  2. TOTP or Push MFA (what you get from an Authenticator app) really are the best, but, if you need to use one of the alternative methods, choose the most secure options and make it your strategy to move to and prefer TOTP or Push MFA.

  3. SMS MFA is not considered secure, but it is better than no MFA at all.

  4. Phones and devices used only for MFA (and no other work function) are not in scope of Cyber Essentials, so you don't have to worry about BYOD implications if people use their own, or even very old phones, just for MFA.

For any questions, contact IASME: https://iasme.co.uk/contact-us for official Cyber Essentials queries,

or Barrier Networks: https://www.barriernetworks.com/contact-us to schedule a Cyber Essentials assessment or help with anything from the Tips.

Jordan Schroeder