Mar 03 2025
Security

MFA Fatigue: A Growing Headache for Schools (and How To Combat It)

What happens when your K–12 teams grow tired of multifactor authentication processes? Try these tips to combat MFA fatigue.
Adam Bertram
by

Adam is the author of the AdamtheAutomator.com blog, and works as a Microsoft systems administrator specializing in the Microsoft System Center suite and PowerShell automation.

Multifactor authentication is a must for defending against cyberattacks in schools. But what happens when those extra layers of security start to wear people down? That’s MFA fatigue. It’s the frustration that users feel when they’re repeatedly hit with MFA prompts; and attackers are ready to exploit this.

Why K–12 Is a Prime Target for Cyberattacks

K–12 schools are, unfortunately, a favorite target for malicious actors for a few reasons. First, student data is incredibly valuable; it contains personal health information and financial details that can be sold on the black market. Second, the open and supportive nature of K–12 environments can lead to employees being more susceptible to phishing attempts.

Click the banner below to learn what it takes to build a cyber resilient K–12 environment.

x-cyberattack-static-2024-clickhere-desktop x-cyberattack-static-2024-clickhere-mobile

 

The good news is that you don’t have to choose between frustrating your staff and leaving the door open to hackers. Here are some ways to fight MFA fatigue.

Get Smarter With Risk-Based Authentication

Not every login needs MFA. Adapt your process to risk level. Low-risk actions shouldn’t need them, saving your staff the hassle.

Teach Staff How To Identify Suspicious Requests

People are your first line of defense. Teach staff, educators and administrators the value of MFA, how to identify suspicious requests and why K–12 is such a tempting target for cyberattackers.

RELATED: Learn how to build a culture of cybersecurity.

Consider Security Keys or Biometrics

Look into advanced standards, such as Fast IDentity Online 2, or FIDO2, that use security keys or built-in biometrics. These are harder to fake and less annoying for users.

Explore Alternative Notifications

Push notifications are simple to set up but are the easiest to abuse. Explore alternatives, such as one-time codes or hardware tokens.

EXPLORE: Learn why schools need incident response plans today.

Have a Plan for When Cyberattacks Happen

Train staff on how to report attacks related to MFA fatigue. Swift action can drastically limit the damage. And don’t authenticate employees into oblivion. To limit unnecessary ones, adapt the frequency of prompts based on user history.

Offer Clear Explanations To Avoid MFA Fatigue

Give context with MFA requests, such as device or location. A little information helps people make better decisions.

Combatting MFA Fatigue Is Not Just About the Tech

Ultimately, it’s a balancing act. MFA fatigue highlights the fact that good cybersecurity isn’t just technical; it's about making security work with your staff, not against them.

Tom Merton/Getty Images

More On

Related Articles

Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report