Hi all, I was wondering if anyone could help with this. I work for an organisation which is designing a new customer portal. We are looking at authentication requirements for customers depending on what sensitivity of data they are accessing (eg username and password for basic product info, MFA for bank details etc).
Is there any current advice or best practice I can review around this for customer access? There is plenty of advice and standards for staff accounts that we follow (eg Cyber Essentials says we should have MFA for all staff accounts so that's clear and is an obvious thing to do). I work in the UK and have checked the National Cyber Security Centre website but can't find anything customer specific there.
The reason I'm asking is we need to find a good balance between security and usability. Email step up authentication or SMS based MFA may be sufficient for customers, but we require authentication app MFA for staff. It would be helpful to have some research based advice to back up our choices.