User Access Control
Cyber Essentials — User Access Control
The Cyber Essentials User Access Control covers how you manage who and what has access to your systems and data. It requires unique passwords for every account, two-factor authentication on important accounts, and ensuring that admin-level access is limited to those who genuinely need it. These guides cover every User Access requirement.
What this control covers
- ✓Set up two-factor authentication (2FA) on your email and important accounts
- ✓Use a password manager to create and store unique passwords for every account
- ✓Find and replace any weak or reused passwords across your accounts
- ✓Remove unused app access from your Google and Microsoft accounts
- ✓Use a standard (non-admin) user account for everyday tasks
User Access Control Guides (14)
- Set up two-factor authentication on your emailAdd two-factor authentication (2FA) to your email account so a password alone is not enough to get in.
- Use a password managerInstall a password manager and use it to create and store a unique, strong password for every account.
- Change any weak or reused passwordsIdentify and replace passwords that are short, simple, or used on more than one account.
- Review connected apps in your Google or Microsoft accountCheck which third-party apps have been granted access to your Google or Microsoft account and remove any you no longer use.
- Create separate admin and day-to-day user accountsUse a standard (non-admin) account for everyday tasks. Only switch to the admin account when you need to install software or change system settings.
- Use a password managerInstall a password manager and move your passwords into it. A password manager generates and stores strong, unique passwords for every account — so you only need to remember one.
- Switch to an authenticator app for two-step verificationReplace text message codes with a dedicated authenticator app (such as Google Authenticator or Authy) on your most important accounts. Authenticator app codes cannot be intercepted by SIM-swap attacks.
- Audit your most important account passwordsCheck that your email, banking, and social media accounts all have strong, unique passwords. Replace any that are reused across multiple sites or that are short and easy to guess.
- Sign up for data breach alertsRegister your email address on Have I Been Pwned (haveibeenpwned.com) to receive free alerts if your details appear in a future data breach. You will hear about it before an attacker tries to use it.
- Check your credit report for signs of identity theftRun a free credit check via Experian, Equifax, or TransUnion to see if anyone has applied for credit in your name. Catching identity theft early limits the financial and personal damage significantly.
- Add a hardware security key to your most important accountsA hardware security key (such as a YubiKey) is the most secure form of two-step verification available. Adding one to your email account and other critical accounts eliminates the risk of phishing-based account takeover entirely.
- Turn on login alerts for your social accountsEnable notifications for new logins on your Facebook, Instagram, X, and other social media accounts. You will be alerted immediately if someone accesses your account from an unrecognised device.
- Store your account recovery codes safelyPrint or securely save the recovery codes for your most important accounts — particularly those protected by an authenticator app. Recovery codes are the only way back in if you lose access to your authenticator.
- Review and reduce app permissions on your phoneCheck which apps have access to your location, camera, microphone, and contacts, and remove any permissions that are not needed. Many apps request more access than they actually need to function.
Track your User Access Control progress — free
Create a free account to check off tasks as you complete them and see your overall Cyber Essentials alignment score.
Start your free security check