Cyber Essentials
DashboardSign Out

Lesson 5.6 — Authentication before access: making sure users prove who they are before accessing organisational data or services

This lesson helps the learner understand the secure configuration requirement that users must be authenticated before they can access organisational data or services.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify where organisational data or services could be accessed without authentication
  • confirm that users must sign in before access is granted
  • record evidence for devices
  • cloud services
  • servers
  • shared systems and applications

Why This Matters

It explains what authentication means in practical Cyber Essentials terms, where unauthenticated access can appear, how shared devices and cloud services should be handled, and how to record evidence without turning this lesson into the full user access control or MFA module.

The most common problems are:

  • assuming being on the office network is enough authentication;
  • confusing authentication with authorisation;
  • ignoring public file-sharing links;
  • ignoring internal systems with no login;

The Core Rule

Cyber Essentials expects users to be authenticated before they can access organisational data or services.

Authentication means proving who you are before access is granted.

What the CE Assessor Looks For

A strong position shows:

  • users must sign in before accessing devices, cloud services and applications;
  • organisational data is not accessible through anonymous links unless deliberately public;
  • shared devices require appropriate user authentication or are locked down to a specific function;
  • cloud services use named accounts;
  • remote access requires named authentication and MFA where required;
  • supplier access requires authentication and is reviewed;

Common Mistakes

  • assuming being on the office network is enough authentication;
  • confusing authentication with authorisation;
  • ignoring public file-sharing links;
  • ignoring internal systems with no login;
  • ignoring shared devices;
  • ignoring tablets and phones;

Copy This

Keep this rule visible:

People should not be able to access work data or work services anonymously or without proving who they are.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What does this secure configuration requirement expect?
  • [ ] What does authentication mean?
  • [ ] What is the difference between authentication and authorisation?
  • [ ] Give three examples of organisational data or services.
  • [ ] Why can public links be an authentication issue?

Your Action

Do this now — it takes 10–20 minutes.

Confirm that every in-scope device requires a password, PIN, or biometric before access. Note any exceptions. Record in Section SC.

Key Takeaway

People should not be able to access work data or work services anonymously or without proving who they are.

Your Workbook Activity

Complete: Authentication before access review record

Next Lesson

In the next lesson: Device unlocking: PINs, passwords, biometrics and lockout controls

Up next

Device unlocking

Strengthen device unlock controls with PIN/password/biometric policies and lockout safeguards.