Understanding the New Passwordless Authentication Requirements for Cyber Essentials Certification

If your organisation is responsible for obtaining Cyber Essentials certification, it’s crucial to stay informed about evolving standards. Recently, the National Cyber Security Centre (NCSC) updated the Cyber Essentials scheme to version 3.2, introducing significant changes, particularly in how users authenticate access to your organisation’s digital assets. One standout update is the introduction of passwordless authentication.

Tip #1 - What is Passwordless Authentication?

Passwordless authentication is an advanced, secure method that confirms user identities without traditional passwords. Instead, it leverages methods such as:

• Biometric data: Fingerprints or facial recognition.

• Physical security tokens: USB security keys or smart cards.

• One-time codes: Temporary codes sent via SMS, email, or apps.

• Push notifications: Approval prompts sent directly to users' mobile devices.

This approach effectively eliminates many risks associated with traditional passwords—like them being forgotten, stolen, or cracked through brute-force attacks.

Tip #2 - Differences from the Previous Standard (V3.1)

Previously, under the Cyber Essentials 3.1 standard, passwords with strict complexity requirements were mandatory. Organisations had to enforce lengthy, complex passwords or use multi-factor authentication (MFA) alongside passwords.

The new guidance under version 3.2 introduces passwordless authentication explicitly, reflecting a broader industry move towards simpler yet more secure methods of access control.

Tip #3 - Practical Implementation of Passwordless Authentication

To help your organisation meet these new requirements, here's how you can practically implement compliant passwordless solutions across different devices:

Windows 11 Devices:

• Utilise Windows Hello, which supports biometric authentication (facial recognition or fingerprint scanning).

• Deploy security keys such as YubiKey for secure logins.

macOS Devices:

• Implement Apple’s Touch ID for fingerprint authentication.

• Use compatible security keys via USB, NFC or Bluetooth for additional protection.

Servers:

• Enforce passwordless SSH keys for Linux server administration.

• Use security keys or tokens to manage server access, particularly for administrative accounts.

  
  

Mobile Devices:

• iOS: Activate Face ID or Touch ID as primary methods for accessing organisational apps and data.

• Android: Enable biometric authentication, including fingerprint and facial recognition, supplemented by push notifications or secure authenticator apps.

Tip #4 - Recommended Next Steps

• Clearly define and communicate your passwordless authentication policy within your organisation.

• Ensure all employees understand how to use these new systems effectively.

• Regularly review and update your access controls to maintain compliance and security.

Don’t Forget to Add a Closing Statement

Embracing passwordless authentication aligns your organisation with best practices, enhancing security while simplifying user experiences.

For further assistance or detailed implementation support, reach out to our team at OCM Communications Limited. We specialise in guiding businesses smoothly through the certification process, ensuring your organisation remains compliant and secure.

Schedule a free consultation below.