Authentication and MFA for Canadian Businesses — Baseline Control BC.5

What Authentication Means

Authentication is the process of verifying that a user is who they claim to be before granting access to systems, applications, or data. The Canadian Centre for Cyber Security (CCCS) designates authentication as BC.5 in its 13 Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089). Strong authentication practices — particularly the use of multi-factor authentication (MFA) — are among the most effective measures any organization can implement to prevent unauthorized access.

This page summarizes what the CCCS recommends for authentication. It is educational content based on publicly available government guidance and is not professional cybersecurity advice. For your specific situation, consult a qualified professional. You can also take our free assessment to evaluate your organization across all 13 controls.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that organizations implement strong authentication mechanisms, with particular emphasis on multi-factor authentication. The CCCS also publishes dedicated password guidance in ITSAP.30.032 (Best Practices for Passphrases and Passwords), which provides specific recommendations for password policies.

Multi-Factor Authentication Everywhere

The CCCS strongly recommends implementing MFA on all accounts where it is available, with priority given to:

• Email accounts — Email is often the gateway to other systems through password reset functions, making it a high-priority target for attackers.
• Remote access — VPN connections, remote desktop, and any other remote access methods should require MFA.
• Cloud services — Microsoft 365, Google Workspace, and other cloud platforms should have MFA enabled for all users.
• Administrative accounts — Any account with elevated privileges (admin, root, domain admin) should require MFA without exception.
• Financial systems — Banking portals, accounting software, and payment platforms should use MFA to protect against fraud.
• Social media and public-facing accounts — Compromised social media accounts can damage your organization's reputation.

MFA typically involves a combination of:

• Something you know — A password or passphrase
• Something you have — A mobile phone (for SMS codes or authenticator apps), a hardware security key (such as a YubiKey), or a smart card
• Something you are — Biometric verification such as a fingerprint or facial recognition

Phishing-Resistant Authentication

Not all MFA methods provide equal protection. SMS-based codes, while better than passwords alone, are vulnerable to SIM-swapping attacks and real-time phishing. The CCCS recommends moving toward phishing-resistant authentication methods where possible, including:

• FIDO2 security keys — Hardware tokens that use public-key cryptography and are bound to the specific website, making them immune to phishing attacks.
• Authenticator apps with number matching — Apps like Microsoft Authenticator that require the user to enter a number displayed on the login screen, rather than simply approving a push notification.
• Passkeys — A newer standard based on FIDO2 that allows passwordless authentication using a device's built-in biometrics or PIN, bound to the specific service.

Password Policies: ITSAP.30.032

The CCCS publication ITSAP.30.032 (Best Practices for Passphrases and Passwords) provides specific guidance on password policies. Key recommendations include:

• Use passphrases over short complex passwords. The CCCS recommends passphrases — longer strings composed of four or more random words — as they are both easier to remember and harder to crack by brute force. Length is the most important factor in password strength.
• Minimum length of 12 characters for passwords, with longer passphrases encouraged.
• Do not force regular password changes unless there is evidence of compromise. Forced periodic rotation often leads to weaker passwords as users make minimal, predictable changes. Instead, require password changes only when a breach is suspected.
• Use unique passwords for every account. Password reuse across multiple services means that a breach at one service can compromise all accounts using the same password.
• Check passwords against known breached lists. Where technically feasible, screen new passwords against databases of previously compromised passwords to prevent users from choosing already-exposed credentials.

Password Managers

The CCCS recommends using password managers to help employees maintain unique, strong passwords for every account without having to memorize them all. Password managers generate random, complex passwords and store them securely, requiring the user to remember only one master password (or use biometric authentication) to access their vault.

For business use, enterprise password managers offer additional features:

• Centralized administration and user provisioning
• Secure sharing of credentials for team accounts
• Audit logs showing who accessed which credentials
• Integration with single sign-on (SSO) systems
• Emergency access procedures for account recovery

Eliminating Shared Accounts

The CCCS recommends that every user have their own individual account. Shared accounts — where multiple people use the same username and password — undermine accountability and make it impossible to determine who performed a specific action. They also make password management impractical, as changing the password requires communicating it to all users of the shared account.

Where shared accounts cannot be immediately eliminated (for example, shared social media accounts or legacy systems), use a password manager to control and audit access, and plan a migration path to individual accounts.

Why This Matters for Canadian Businesses

Compromised credentials are one of the most common initial attack vectors in cybersecurity incidents. Attackers obtain passwords through phishing, credential stuffing (trying passwords from other breaches), brute-force attacks, and malware. For Canadian SMBs, weak authentication practices can lead to:

• Account takeover — Attackers who gain access to email accounts can intercept communications, redirect payments, send phishing emails to your contacts, and reset passwords on other linked accounts.
• Business email compromise (BEC) — One of the most financially damaging cyberattacks, where attackers use compromised email accounts to impersonate executives or vendors and redirect wire transfers or payments.
• Data breaches — Unauthorized access to accounts containing personal information can trigger breach notification obligations under PIPEDA and result in regulatory scrutiny.
• Ransomware deployment — Attackers frequently use compromised credentials to gain initial access to a network, then escalate privileges and deploy ransomware.

MFA is one of the single most effective controls against these threats. Even when a password is compromised, MFA requires the attacker to also possess the second factor, which dramatically increases the difficulty of unauthorized access. Combined with proper access control (BC.12) and security awareness training (BC.6), strong authentication forms a critical layer of defense.

How to Get Started

Implementing stronger authentication is one of the highest-impact improvements most Canadian SMBs can make. Here are practical steps:

• Enable MFA on email first. If you do nothing else, enable MFA on your organization's email accounts. Email is the most critical account to protect because it is often used as the recovery mechanism for other services. Both Microsoft 365 and Google Workspace support MFA at no additional cost.
• Enable MFA on all cloud services. After email, enable MFA on cloud storage, collaboration tools, accounting software, CRM systems, and any other cloud-based services your organization uses. Check each service's security settings — most major platforms now support MFA.
• Enable MFA on remote access. VPN connections and remote desktop services should require MFA. These are frequently targeted by attackers scanning for externally accessible services.
• Deploy a password manager. Choose a reputable password manager and deploy it to all employees. For small teams, individual plans may suffice. For larger organizations, enterprise plans provide centralized management. Train employees on how to use it and make it part of your onboarding process.
• Update your password policy. Adopt the CCCS recommendations from ITSAP.30.032: require a minimum length of 12 characters, encourage passphrases, stop forcing periodic password changes, and require unique passwords for each account.
• Audit for shared accounts. Identify all shared accounts in your organization and plan a migration to individual accounts. Where shared accounts must remain temporarily, implement a password manager to manage and audit access.
• Consider phishing-resistant MFA for high-value accounts. For administrator accounts and users with access to sensitive data, consider deploying FIDO2 security keys or passkeys for phishing-resistant authentication.
• Train your team. Ensure employees understand why MFA is important, how to use their authenticator app or security key, and how to recognize phishing attempts that try to capture MFA codes. Pair this with security awareness training (BC.6).

To evaluate your authentication practices alongside the other 12 baseline controls, take the free assessment.

Common Mistakes to Avoid

Based on the CCCS guidance and common patterns in Canadian organizations, here are frequent authentication mistakes:

• Not enabling MFA when it is available. Many services offer MFA, but organizations do not enable it. This is one of the simplest and most effective security improvements you can make.
• Enabling MFA only for administrators. While admin accounts should be prioritized, all user accounts benefit from MFA. Attackers often compromise regular user accounts first and then escalate privileges.
• Relying solely on SMS-based MFA. SMS codes are better than passwords alone but are vulnerable to SIM-swapping and real-time phishing. Authenticator apps and security keys provide stronger protection.
• Forcing frequent password changes. Requiring password changes every 30, 60, or 90 days without evidence of compromise leads to predictable password patterns (e.g., Password1, Password2, Password3). The CCCS recommends against forced rotation.
• Allowing password reuse. Employees who use the same password for their work email, personal email, and social media accounts create a chain of risk. A breach at any one service compromises them all.
• Using shared accounts. Shared accounts eliminate accountability and make credential management impractical. Every user should have their own individual account with their own credentials.
• Not protecting the password manager itself. Your password manager's master account should be protected with a strong passphrase and MFA. If an attacker compromises the password manager, they gain access to all stored credentials.

Frequently Asked Questions

See below for answers to common questions about authentication and MFA for Canadian businesses. For a comprehensive evaluation, take our free cybersecurity assessment.