Explain the Risks of Identity Theft When Promoting MFA
To promote any security measure, it’s important to lay out in detail exactly what’s at stake.
Just like putting fewer locks on your door makes it easier to break open, the less effort someone has to put into, say, accessing a university email account, the easier it is for bad actors to gain the same access. Once a bad actor has access to your email, there’s no end to the amount of private data, personal information and other accounts (like your bank account) that they can get to as well. Identity theft is a nightmare no user wants to have to experience.
MFA provides an extra layer of security, forcing you to prove that you are who you say you are. And the more layers of authentication someone must go through to gain access to the network, the more difficult it’s going to be for an attacker to break through.
Another potential issue is the compromise of the entire campus network. While that may not be an appeal that resonates with everyone on your campus, plenty of faculty, staff and students aren’t going to want to see their university in the headlines because a cyberattacker was able to infiltrate the network. The ensuing ransomware attack will be expensive enough to respond to, but the reputational damage that follows these breaches can be even more costly.
Explore the Different Types of MFA Solutions for Higher Ed
Most people think of multifactor authentication as the common two-factor solution, where a user enters account information, then follows up with a code sent to a mobile device. Those kinds of MFA are valuable and effective, but don’t forget to investigate other options that could be a little more user-friendly.
Single sign-on solutions like Okta still require an multifactor process when users first sign on, but once they get through the login, access to many or all apps comes with it; no more entering your password every time you switch from one app to another.
Beyond single sign-on, the next frontier for identity management could take a few different forms. One is passwordless authentication, which, like its name implies, eliminates the use of a password entirely, instead relying on things like biometrics (such as fingerprint or face recognition) and cryptographic keys.
Passwordless authentication also can be used to beef up physical security, with solutions available to limit access to campus buildings.
In addition, if your institution is already working with major vendors such as Microsoft for hardware, software or services, their MFA solutions should be part of the package you’re paying for. If you’re not sure if your Microsoft contract includes MFA access, a member of CDW’s higher education team would be happy to assist.
Educate Higher Education Students, Faculty, Staff on How to Use MFA
Regardless of what MFA solution your university decides to go with, training students, faculty and staff on how and why to use it can go a long way toward limiting those help desk requests from frustrated users.
I wrote earlier about why MFAs are important, but the how can be critical as well. Many students may have never encountered MFA previously, and while they are tech-savvy, they still won’t pick up something they’ve never used before without a little assistance. The same goes for faculty and staff.
Training documents and resources should be simple and widely available. While certain colleges and universities are creating programs intent on making cybersecurity training fun, the most important educational piece I’ve found is a clean, simple, easy-to-find website explaining why MFA is in place and walking users through how to use it. This one from the University of Puget Sound is a nice example.
No matter how you lay it out, making MFA as simple to use as possible and explaining the rationale for using it in straightforward terms can set your IT department on the road to a more secure network and a happier user base.
This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.