Short answer
Authenticator apps (Microsoft Authenticator, Authy, Google Authenticator, 1Password), hardware security keys (YubiKey), push notifications, and SMS where nothing stronger is available. SMS is allowed but not preferred - app-based authentication is stronger.
Why this matters
MFA is one of the clearest pass/fail areas under Cyber Essentials v3.3. The important question is not whether the organisation owns an MFA product, but whether every account that can access organisational data is covered in practice.
Assessors look for consistent enforcement across email, cloud services, admin accounts, remote access, and line-of-business systems. Exceptions should be rare, documented, isolated, and technically justified. Admin accounts should use the strongest available factor, ideally phishing-resistant MFA.
What to check next
- Check every user account, not just staff with Microsoft 365 licences.
- Disable legacy authentication paths that cannot support MFA.
- Separate day-to-day and administrator accounts and protect both with MFA.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.