May 23 2023

Fact or Fallacy: Don’t Let MFA Myths Sink Your K–12 Security Strategy

Here’s a brief primer for schools looking to follow recent federal cybersecurity guidelines for multifactor authentication.
cyber month 2023


Cybercriminals are becoming relentless in their efforts to gain access to critical school networks that hold confidential student and staff data. According to the K12 Security Information eXchange, over the past six years, there have been 1,619 cyber incidents in K–12 schools in the U.S. That’s more than one cybersecurity event every school day.

How can we reduce these attacks? A recent report from the Cybersecurity and Infrastructure Security Agency, “Protecting Our Future: Partnering to Safeguard K-12 Organizations From Cybersecurity Threats,” points to multifactor authentication as an essential tool in the fight to protect school networks. MFA works by prompting users to validate one or more additional factors beyond a password to prove their identity when signing into an account.

As the cybersecurity and systems administrator for Arbor Park School District 145, a small district outside of Chicago, I’ve personally seen how effective this authentication method can be in reducing unauthorized user account access. While MFA has become integral to larger organizations, schools might still be confronted with incorrect information about it. Read on to separate the myths from the facts.

Click the banner to learn about cybersecurity solutions and services for your K–12 institution.

Fact: Multifactor Authentication Adds a Layer to School Cybersecurity

Many of us have already encountered MFA. The process generally involves users correctly entering their passwords into various applications, after which they are prompted to enter a text code or approve the login via an authenticator app. That is an example of MFA using layers to ensure that the correct person is seeking access to a particular platform. MFA comprises many methods, but they are typically categorized as:

  • Something you know, such as a password or PIN
  • Something you have, such as a phone number or security key
  • Something you are, using face recognition or fingerprint scanning

From this list of categories, you can see how MFA uses a variety of methods or layers to prove the correct person is logging in to the correct account.

DIVE DEEPER: K–12 Schools ratchet up cybersecurity on a budget.

Fallacy: MFA Provides a 100 Percent Security Guarantee

While MFA is an excellent way to keep unauthorized individuals out of sensitive accounts, it is not guaranteed to work 100 percent of the time. A savvy hacker can still bypass security using a popular technique called an MFA fatigue attack.

Attackers using this method will continuously text or call a phone with a second-factor authentication request, hoping the phone’s owner will approve it, giving them access to the protected account where they can wreak havoc. If this happens to you, the best response is to deny the continuous requests and contact your IT department.

I have seen this attack firsthand at my district, which is why I am testing different methods of non-phishable MFA.

cyber month toc


Fact: MFA Can Help Meet Insurance Compliance Guidelines

If you are an IT director and have recently shopped around for cybersecurity insurance, you may have noticed that MFA implementation is now mandatory; without it, the price of insurance goes up. Furthermore, most cybersecurity insurance companies will not cover ransomware costs for districts that do not comply with this guideline. Having helped my district renew its cybersecurity insurance, I know this to be true.

However, this only underscores the fact that MFA can work wonders in reducing risk to school districts. Moreover, IT administrators may notice that companies such as Microsoft, Google, Cisco and others are beginning to deprecate simple username and password authentication.

If you haven’t started implementing MFA, start today to avoid a rushed rollout later. MFA can also help technology leaders form strong cybersecurity policies for their districts, keeping the protection of student data in mind.

GET THE CHECKLIST: Use these five steps to secure student data.

Fallacy: Only District Administrators Need MFA

There is a common misconception that only employees and district administrators need to use MFA. Unfortunately, bad actors are crafty and more than happy to get into district data via accounts belonging to anyone, including paraprofessionals, teachers or substitutes.

Getting access to these accounts could allow criminals to see student data contained in emails, in private chats between staff members or even in the district’s student information system, where private data is stored. Access to staff accounts might also provide hackers an avenue for making lateral moves within the network.

The more information stolen from your district, the more likely you are to suffer a breach of confidential staff and student data. It’s imperative that more districts implement MFA for all accounts to drastically reduce the risk of a compromised network.

Source: GuidePoint Security, GRIT Ransomware Report: Q1, January-March 2023, April 2023

Fallacy: Text Codes Are the Only Way to Authenticate Accounts

For school districts, text codes are likely the most popular way to quickly integrate MFA because most if not all staff have a smartphone for providing the second factor of authentication. However, at my school district, I have been actively investigating and testing alternative methods of authentication for our staff.

One method would tie into staff identification cards. With the use of smart ID cards, staff members would be able to get into the building, release print jobs and sign into their devices with ease. They would simply hold their badges near the card reader to access the printer; for device access, they would insert the card into the slot on a compatible USB-connected case, enter their PIN and voila! They are signed in. This method is essentially like single sign-on, but for the physical world — no smartphone needed.

I’ve also tested using a security key that users would insert into a USB port, enter their PIN and sign in. Again, no need for smartphone.

Whether you are a school board member, IT administrator, superintendent or educator, it is important to understand the importance of MFA. Without it, cyber attacks on a school’s network infrastructure could result in catastrophic loss of staff and student data.

This layered approach to authentication should be implemented as soon as possible to reduce the overwhelming risks of cyber threats that schools face every day.

Illustration by Olly Kava

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.