Cyber Essentials v3.3: admin account requirements and the FIDO2 shift

Cyber Essentials v3.3: admin account requirements and the FIDO2 shift

Admin and privileged accounts are the highest-risk accounts in any organisation. v3.3 formalised the requirements that were implicit in earlier versions. This article covers what now passes and what now fails.

The core rules under v3.3

1. Every admin has an individual account. No shared admin credentials.

2. Every admin uses MFA. SMS not acceptable for admins under v3.3.

3. Strongest factor preferred. FIDO2 hardware key or Windows Hello for Business.

4. Separation of duties. Admin tasks use admin accounts; day-to-day tasks use non-admin accounts. One user, two accounts.

5. Break-glass documented. Emergency access accounts exist, are sealed, are monitored.

6. Audit trail. Admin actions are logged.

Separation of duties

Under v3.3, a user with admin rights must have two accounts:

• Day account: standard user permissions, used for email, browsing, line-of-business tools.
• Admin account: elevated permissions, used only for admin tasks (user management, system configuration).

Rationale: if the user's day-to-day credential is compromised (phishing, laptop theft, malware), the attacker does not get admin access.

Small organisations sometimes push back on this ("we only have 3 admins"). The CE requirement applies regardless - even a 5-person organisation with one admin needs the separation.

FIDO2 for admins (preferred)

v3.3 explicitly lists FIDO2 / WebAuthn as the preferred MFA factor for admin accounts. Reasons:

• Phishing-resistant (the browser binds the credential to the domain).
• Cannot be intercepted by man-in-the-middle.
• Cannot be captured by malware keylogging.

Implementation:

1. Buy two FIDO2 keys per admin (primary + backup).

2. Enrol via the identity provider (Entra ID, Okta, Google Workspace).

3. Require FIDO2 for admin role at the identity provider.

Budget: £50–£80 per YubiKey, so £100–£160 per admin. A 5-admin organisation is £500–£800 one-off.

Windows Hello for Business as an alternative

For admins on Windows 11 with TPM-enabled laptops, Windows Hello for Business provides equivalent assurance. Biometric + TPM-bound credential passes v3.3 as FIDO2-equivalent.

Assessor asks for the Intune policy proving WHfB is deployed to the admin group.

Break-glass accounts

Every organisation needs emergency access accounts for scenarios like:

• Primary admin's account is locked out.
• MFA method is lost.
• Identity provider itself is down and admin sign-in fails.

Under v3.3, break-glass accounts must:

• Exist (typically 2 accounts, stored separately).
• Have a strong password, printed and sealed.
• Have MFA via a method that works when primary MFA fails.
• Be excluded from Conditional Access policies that could lock them out.
• Be monitored via sign-in alerts.
• Not be used in normal operations.

Document this in the self-assessment.

Monitoring admin actions

v3.3 expects that admin actions are logged and reviewable. Minimum:

• Audit log retention: 90 days (preferably 365).
• Alerts on specific events: new admin created, sign-in from unusual location, password reset.
• Sign-in logs for admin accounts: reviewed monthly.

Microsoft 365 and Google Workspace both provide this out-of-the-box. Configure the alerts.

What the assessor checks

• Screenshot of admin role membership (Entra ID, Google Admin).
• Evidence that admins have individual accounts, not shared.
• Evidence of FIDO2 / Windows Hello enforcement.
• Screenshot of Conditional Access policy enforcing FIDO2 for admin roles.
• Documentation of break-glass protocol.

Common failures

• Shared admin account (often in small MSPs): split into individual named admin accounts.
• Admin uses same account for email and admin work: create a separate admin account.
• SMS MFA for admin: upgrade to FIDO2 or authenticator app.
• No break-glass protocol: document it and test it once.
• MSP shares client admin credentials internally: individual named accounts per MSP engineer.

Bottom line

v3.3 treats admin accounts as a discrete category. Individual accounts, strong MFA, separation of duties, monitored, break-glass documented. Get this right and admin controls are the strongest part of your submission.

Start Cyber Essentials | MFA pillar | See pricing