K–12 IT teams don’t have the same options as their peers in business environments. Students may not have smartphones, or smartphones may be prohibited from campus. Laptops may be integral to the classroom environment, but they might be shared, not dedicated to a student.
What’s more, K–12 students are minors, so there are significant legal and privacy protections — such as the Children’s Online Privacy Protection Act and the Family Educational Rights and Privacy Act — that may limit possible MFA solutions.
This is where hardware tokens and software tokens come into play.
What Is a Hard Token?
Hard tokens were the original MFA. The most popular hard tokens of the 1990s displayed a six-digit number that changed every 30 or 60 seconds. When the user entered their login password, they would also enter the current number on the token’s display. This was their “second factor.”
Although security personnel loved hardware tokens for authentication, operations teams were not so enthusiastic. Tokens at the time were expensive, nearly $250 in today’s dollars, and usually had to be replaced every year, creating a constant cycle of deployment projects.
DISCOVER: Schools are breaking away from in-house device management.
What Is a Soft Token?
Soft tokens are a lot like hard tokens without the stand-alone hardware. Using an app or a program, they traditionally rely on users authenticating via their smartphone.
There are multiple ways to provide MFA protections in K–12 environments when traditional soft tokens don’t suffice. If students have dedicated laptops, IT teams can use authenticator apps or biometrics stored on the laptop. In larger districts, risk-based adaptive MFA is an option, varying the type of MFA depending on the application and the geographic location of the user.
Hard Tokens vs. Soft Tokens
Hard tokens are still popular for some high-security consumer environments, such as online banking, but as software versions of popular hardware tokens became available, organizations quickly swiveled to soft tokens.
The newer technology offered similar security, simpler deployment, much lower costs and a better experience for the user overall. This also positioned companies for advances in MFA, such as biometrics and passkeys. The switch to soft tokens has been so fast and so popular that many IT teams have never used hard tokens.
KEEP READING: Combat MFA fatigue in your K–12 school system.
How Hard Tokens Are Used for Authentication Today
In recent years, hard token authentication has changed dramatically. Users no longer need to copy codes from hard-to-read token displays onto their login screen. Hardware tokens can have USB connections that attach directly to laptops and smartphones. Hardware tokens enabled with near-field communication capabilities are also available, making a hard token as easy to use as tapping a payment card to make a purchase.
Furthermore, while hard tokens still must be distributed and must be replaced when lost, the cost has gone down dramatically. Even in very small quantities, tokens from vendors such as Yubico, Thales and Kensington can cost as little as $25 to $50, depending on the feature set required.
One of the advantages of the new evolution of hardware tokens is support for FIDO2 open-authentication standards. The FIDO (Fast IDentity Online) Alliance — whose members include Google, Microsoft and the National Institute of Standards and Technology — wasn’t just looking for small improvements in time-based, one-time password technology. Passkeys, the new passwordless authentication popping up in major web services, are based on FIDO standards and can be stored on new hard tokens.
With passkey authentication and hard tokens, users swap out easily stolen usernames and passwords for cryptographically strong authentication.
Using Security Tokens in K–12 Environments
While there are soft-token options schools can consider, one of the most straightforward ways to maintain MFA security in K12 environments is to deploy hardware tokens for authentication.
Often, hard tokens are protected by a PIN that the student must enter to unlock their credentials, but IT teams that need a higher level of security can elect to use tokens that unlock with biometrics, such as fingerprints.
DIVE DEEPER: Schools must modernize their identity and access management programs.
Because hard tokens are standards-based, the level of security can vary depending on the use case, such as the type of application being used or the age of the student.
This means that K–12 IT teams deploying hard tokens can allow students and staff to use them to access off-campus applications. Tokens can secure their Google or Microsoft accounts, their social media accounts and other web-based services.
Incorporating the appropriate hard or soft tokens can enhance the work to train today’s students to be more aware and proactive about cybersecurity by using strong authentication across their internet services, not just in school.
