Environmental Sustainability for Small Charities - abstract artwork
how toOperationsTechnology

MFA Rollout Without Tears: A UK Charity Field Guide

Written by

Published

6 min readPublished 01/07/2026Updated 01/07/2026

Multi-factor authentication is the cheapest, fastest security control a small UK charity can ship this quarter. Here is the realistic option set, the rollout sequence that keeps trustees on board, and a 30-day plan with named owners.

If you have a single budget cycle to spend on charity cybersecurity, spend it on multi-factor authentication. Not awareness training, not a fresh antivirus, not a policy refresh. MFA blocks the overwhelming majority of credential attacks that show up in ICO breach reports, and you can ship it in a month without buying anything new.

Why MFA is the highest-return control you can ship

The National Cyber Security Centre is unambiguous: turn MFA on for every account that holds personal data or moves money. Microsoft’s own telemetry puts the block rate against automated credential attacks above 99 percent. The ICO’s quarterly data security incident reports tell the other half of the story. Phishing, unauthorised access and ransomware dominate the charity sector totals, and almost all of them start with a stolen password. MFA does not fix every problem on that list. It does close the door that most attackers walk through.

The economics are unusual for a security control. The licence cost is zero on Microsoft 365 Business Basic and Google Workspace Business Starter. The hardware cost is optional. The behaviour change is around six seconds per prompt. The downside risk of skipping it includes regulatory action, insurance refusal, and the kind of breach that makes the front page of Third Sector.

The realistic option set

Authenticator apps

Microsoft Authenticator and Google Authenticator are free, work on any modern phone, and support both push prompts and time-based codes. Microsoft Authenticator is the default for any 365 tenant and supports number matching, which removes most of the prompt-bombing risk. Google Authenticator is fine but lacks push, so users type a six-digit code each time. Both are good enough for almost every account in a small charity.

Hardware security keys

YubiKey 5 series and Google Titan keys are the gold standard. They are phishing-resistant in a way that no app can match, because they will not authenticate against a lookalike domain. Buy two per admin, one to carry and one to lock in the office safe. Expect to spend £45 to £60 per key. For trustees who move large grants or access donor PII, this is cheap insurance.

Passkeys

Passkeys are now generally available across Microsoft Entra and Google Workspace. They use the device biometric, sync through iCloud Keychain or Google Password Manager, and remove the password entirely. They are the long-term answer. For 2026 we recommend offering them as a parallel option, not the mandatory route, while trustee phones and shared volunteer laptops catch up.

SMS codes

Avoid where you can. SIM-swap fraud is a documented problem and the NCSC explicitly downgrades SMS as an MFA factor. If a trustee genuinely cannot use an app or a key, SMS is better than nothing, but it should be a documented exception with a review date, not the default.

Sequence the rollout so it actually lands

Order matters more than speed. Compromise of a single Global Admin account can drain the tenant, so admins go first, in week one, with hardware keys where the budget allows. Finance is the second wave: anyone who can approve a payment, raise an invoice, or change supplier bank details. All staff are the third wave, with a two-week window and visible drop-in support. Volunteers with admin access to systems, the database, the website CMS or the donation platform, are the fourth wave, and often the most resistant. Volunteers without system access are out of scope, which is worth saying out loud so the conversation stays focused.

The conversation with reluctant staff

Most resistance is not technical. It is the suspicion that IT is being inflicted on people who have already given the charity their time for free. The script that works, in our experience, is short. We tell them three things. Their password has almost certainly already been leaked in a breach somewhere, which they can verify on Have I Been Pwned. The charity’s insurance now requires MFA on accounts with access to personal data. And the alternative, if a fraudulent payment goes out under their login, is a regulator-facing investigation that nobody wants to be the subject of. Older trustees in particular respond to the governance framing, not the technology pitch.

Most resistance to MFA is not technical. It is the suspicion that IT is being inflicted on volunteers who have already given the charity their time for free.

Recovery and break-glass

Decide what happens when someone loses their phone before someone loses their phone. Every user gets a set of backup codes, printed and stored somewhere the user controls, not in their mailbox. Every tenant has a second Global Admin account, with a hardware key, used only for recovery, password stored in the charity’s password manager under dual control. Document the lost-phone process on a single page: who to ring, what proof of identity is required, expected reset time. Two hours of policy work now saves a panicked Sunday evening later.

The settings that take you from optional to enforced

Microsoft 365

Security defaults will enforce MFA for all users in a Business Basic tenant at no extra cost. For more control, Business Premium and above include Conditional Access, which lets you require MFA only off the office network, require hardware keys for admins, and block legacy authentication protocols that bypass MFA entirely. Whichever tier you are on, the goal is the same: MFA on every account, no exceptions, no permanent bypasses.

Google Workspace

Turn on two-step verification for the organisational unit, set a fourteen-day enrolment grace period, then enforce. For admins, restrict to security keys only. For everyone else, allow the Authenticator app and passkeys, disable SMS as a backup, and turn on the policy that automatically signs out and re-prompts when risk is elevated.

Cyber Essentials and what insurers expect

MFA is a Cyber Essentials control for all cloud services. Failing it means failing the certification, and an increasing number of grant funders and corporate partners now require Cyber Essentials before they will sign a contract. Charity insurance is moving the same way. Renewal questionnaires from the major sector insurers now ask, in plain English, whether MFA is enforced on email, file storage and finance systems. Answering no is no longer free.

A 30-day rollout plan with named owners

  • Week one. Enable MFA on every admin account, issue hardware keys, document the break-glass process. Owner: IT lead or outsourced provider.
  • Week two. Enrol finance and senior leadership. Run a thirty-minute drop-in. Owner: Finance Manager.
  • Week three. Enrol all staff. Send the script above by email on day one, run two drop-ins, escalate non-completers to line managers on day five. Owner: Operations Manager.
  • Week four. Enrol volunteers with system access, retire SMS exceptions, file the evidence pack for Cyber Essentials and insurance renewal. Owner: CEO or COO sign-off.

If you do nothing else this quarter, turn on Microsoft 365 Security Defaults or Google Workspace two-step enforcement. It takes ten minutes, costs nothing, and closes the door most attackers walk through.

Related reading: Password Managers For Charity Teams: Practical Rollout, DNSSEC And Domain Security For Charities: Practical Steps and Cloudflare For Charity Websites: Setup That Actually Helps.

Book a free strategy call with Pilar to improve charity marketing performance.

Frequently asked questions

Does MFA add a lot of friction for staff?

On a managed device, modern MFA prompts you roughly once every seven to thirty days, not on every login. The added time on a fresh prompt is around six seconds. The friction concern is almost always overstated by the third week of use.

What if a trustee refuses to install an authenticator app on their personal phone?

Offer a hardware security key as a paid alternative, around £50, and document the offer in writing. If they still decline, escalate to the board: the question is whether someone unwilling to meet the charity’s security baseline should retain access to personal data and financial systems.

Is SMS-based MFA acceptable for Cyber Essentials?

It currently meets the minimum bar, but the NCSC actively discourages it and the scheme guidance is tightening. Treat SMS as a temporary exception with a documented review date, not a permanent option.

Do volunteers need MFA?

Only those with access to systems that hold personal data or move money. A drop-in fundraising volunteer with no login does not. A volunteer who edits the website, exports donor lists or accesses the CRM does, and should be in the same rollout wave as paid staff.

Sources

External references used in this article. Links open on the original publisher’s site.

  1. Multi-factor authentication for online services
    National Cyber Security Centre · Accessed 22 May 2026
  2. Cyber Essentials overview
    National Cyber Security Centre · Accessed 22 May 2026
  3. Security defaults in Microsoft Entra
    Microsoft Learn · Accessed 22 May 2026
  4. Data security incident trends
    Information Commissioner’s Office · Accessed 22 May 2026
  5. Cyber security guidance for charities
    Charity Digital · Accessed 22 May 2026

You might also like:

TikTok for Charities: When and When Not - abstract artwork
guide
Leadership,  Operations,  Governance

A practical strategy method for small charity teams: set focus, choose trade-offs, and keep execution moving without long workshops or heavyweight frameworks.

Grant Writing: The Paragraph Funders Read First - abstract artwork
how to
Data,  Operations,  CRM Strategy

A practical, repeatable process to turn scattered charity data into one decision-ready dashboard your senior team will use, without hiring a BI specialist.