Multifactor Authentication Should No Longer Be Optional in K–12
MFA implementation in schools can protect against cyberattacks. Here’s how to do it.
Anyone who uses online banking nowadays is likely to receive multifactor authentication prompts, which are often delivered through text messages or authentication apps, though fingerprint scanners and face detection are becoming increasingly popular. Users may dislike the additional validation questions, but they grasp the purpose and the importance of verifying access to important accounts with anything other than a password.
MFA was a hotly disputed topic in K–12 education circles until recently, but cybersecurity insurance providers are increasingly demanding school districts employ the technology to stop malware and other intrusions.
MFA was once viewed as too costly and difficult for districts to administer and operate, particularly in classroom settings. Why? Districts lack the necessary funding and personnel to administer it. Changes that affect the classroom might take well over a year to design, take away from useful traditional classroom time, and necessitate community and labor input to be successful.
MFA can, however, make a significant difference. Last year, when President Joe Biden visited with top executives from technology companies, they emphasized that authentication systems can assist avoid 80 to 90 percent of cyberattacks.
Assess Your District’s Alternatives
What can a K–12 manager do while waiting for funding, more workers, and approvals? First, you might be shocked to hear that the supplier you are already using for sign-on (Microsoft, Google, etc.) already has an MFA system ready to go, with minimum or no additional license charges.
MFA functionality ranges from cheap (but possibly more complicated to configure) to pricey (and more streamlined). Microsoft and Google provide low-cost authentication options that are widespread in K–12 settings, as well as MFA as part of current license agreements. More complex capabilities, such as limited access, will be charged separately.
Other providers offer sophisticated solutions in this market while keeping things simple. Cisco Duo includes features including an MFA self-service website and streamlined deployment. Okta may be of interest to larger enterprises because it can manage full identification roles and detect infections based on questionable activity.
MFA Stages Based on Measures
Much of the threat to a school system comes down to 2 topics: information thievery and resource damage. You should start with MFA for prominent and high-risk users, then move on to MFA for your other customers.
We utilized a staged strategy to implement MFA in my district, Seattle Public Schools, which has 52,000 kids. I advise you to do the same and to contact district organizations in the following sequence:
Begin with your IT personnel so that they can iron out any bugs. Then, take advantage of your annual hacking activities and impose MFA requirements on individuals who fail. Then, for accounts that hold critical information and revenue, such as payroll, HR, and accounts payable, MFA should be required. Next in line should be school board members, administrators, and managers with power and trust. Finally, MFA should be required for all teachers and residual employees. MFA is optional for students.
Remember to enable MFA for the school’s social media apps, such as Twitter and Facebook.
Adoption Can Be Made Easier With Advanced MFA Options
If you opt for more extensive MFA services, you can also select to disable MFA questions when using the account from a university location. This on-campus exemption strategy raises the risk slightly while also considerably increasing acceptance and implementation.
Also, engage your union leadership early in the test and preparation stages so that it can direct your efforts. Ours was quite helpful in both fine-tuning our messaging and developing an appeal/exception process.
Educate Employees on the Dangers of Stolen Passwords
How can you persuade people to utilize MFA if your internet insurance provider requires it? Invite them to visit haveibeenpwned.com using test@test.com and also their email addresses. (Sure, this is a reliable website.)
Over the last decade, both League of Legends and Evite have seen significant thefts of K–12 passwords. Cyberattacks using defects like Heartbleed and vulnerabilities like Log4Shell remain to endanger suppliers and websites regularly. According to the Spam Auditor blog, enormous quantities of credentials are being traded on the dark web.
More district employees are working remotely as a result of COVID-19. When a region discloses services like VPNs or distant connectivity without MFA, the likelihood of a districtwide ransomware assault increases. At any time, you should presume that more than 7% of your credentials have been compromised and can be used versus you.
It is important to educate employees that stolen district account credentials can be used remotely to manipulate grades, divert paychecks to criminals’ bank accounts, and examine the district’s shared files for sensitive material to use in extortion and blackmail threats.