Recently, a survey by the Consortium for School Networking found that the share of K–12 districts using multifactor authentication to protect network access jumped from roughly 40% in 2022 to about 72% just two years later.
IDEA Public Schools, based in Texas and operating schools in several states, implemented MFA for its staff in 2021 and saw a 90% reduction in compromised user accounts — virtually overnight.
“It's probably the single most important thing we've done to reduce risk to the organization,” says Aaron Thalman, director of information security at IDEA. “Every login represents a student, parent, teacher or staff member who depends on us to keep their data safe. This isn’t just about checking a compliance box. It’s about protecting the people behind the technology.”
Click the banner below to access more in-depth cybersecurity insights.
Schools Are Stepping Up Their Identity Management Game
Before he joined the Center for Internet Security and became its vice president of security operations and intelligence, Randy Rose worked for the state of New York, probing the network vulnerabilities of its K–12 schools. There were a lot.
“You name it, you could get onto any network you wanted to,” he says. “Today, that's not the case. Schools have really stepped up their game.”
They’ve had to, as bad actors increasingly recognize the large amounts of valuable data that school districts maintain, from student health records to payroll information. “They’re a target-rich and often resource-poor environment,” Rose says.
In fact, ransomware began exploding in K–12 schools about the same time MFA became easier to implement. Moreover, cyber insurance policies began putting more of the onus for network protection on schools, including requiring MFA.
“It used to be difficult to do MFA at scale on most K–12 networks,” Rose says. “Now, it’s easier. Different districts may do it differently, but as best as they can implement MFA, it's a critical layer of security.”
$1.02 Million
The median ransom demand in K–12 education
Source: Sophos, “The State of Ransomware in Education 2025,” August 2025
IDEA Public Schools adopted Cisco Duo as its MFA solution, starting with staff. With what is now more than 12,000 Duo users in Texas, Florida and Ohio, Thalman knew he’d “never be able to sit down with every teacher and tell them what link to click and what not to.” MFA had to be as easy and unobtrusive as possible.
Once he had the green light to implement MFA, Thalman’s team began communicating to staff the reasons behind MFA and providing detailed instruction, including how to download the Duo app to their mobile devices.
With Duo, staff logging in to the network had the option of typing a passcode or receiving a call or text. Eventually, Thalman decided to use Duo’s push authentication feature across all sessions. Now, when a user logs in from an enrolled device, they are pushed a simple notification to their app, and they click “Approve” or “Deny” to confirm their request for access.
“It literally takes three seconds,” he says.
Richland One School District Chooses No-App MFA
Schools roll out MFA differently for different reasons. Much of the variety has to do with tailoring MFA to staff preferences. After all, with MFA, you may be requiring people to use their own phones or other devices for authentication.
When Richland One School District in Columbia, S.C., rolled out MFA in 2023, officials sought a solution that would not require downloading an app. Richland One opted for RSA SecureID. Staff logging in remotely receive a text code and enter it into the application, saving their location to avoid repeating the process unnecessarily. But no app is required.
“Our team did a lot of research and got feedback from various stakeholders. We piloted tokens before and decided we didn’t want anyone to have to carry something around or download anything on their phones,” says Candice Coppock, the district’s executive director of IT.
Richland One enforces MFA only when staff members are working remotely, and in the beginning, staff had the option to choose whether to participate. This led to times when IT had to “drop the veil” and disable MFA when most staff were required to work remotely; for example, during extreme weather disruptions. That changed quickly after reviewing logs, and now Richland One enforces MFA for all remote sessions. The district’s 5,000 staff understood immediately.
“Feedback from our customers was, ‘We don’t care why, what do you need us to do?’” Coppock says. “What that told us was, the important information on how to access accounts while at home and how to set up MFA had been buried in our documentation, because we wanted to explain why we were implementing this security measure. So, we flipped our messaging with the next phase of instructions and documentation, and we began with the steps they needed to take to set up MFA and access applications at home. Then, we ended with the ‘why.’”
Inevitably, some staff questioned MFA requirements, but it was far fewer than anticipated and could be easily addressed through clear communication.
“In hindsight,” says Coppock, “we should definitely have gone to each school and asked for 10 minutes with faculty before sending out the information districtwide. Moving forward, we will do just that with implementation of a project such as this.”
SUBSCRIBE: Sign up to get the latest EdTech content delivered to your inbox weekly.
Snoqualmie Valley Adopts MFA to Meet Insurance Requirements
Snoqualmie Valley School District, in the eastern suburbs of Washington’s tech-heavy Puget Sound region, adopted MFA for the 2022-2023 school year using Microsoft Authenticator. The district’s cybersecurity insurance pool required MFA, and Snoqualmie Valley invited analysts from the Cybersecurity and Infrastructure Security Agency to perform a review, which recommended MFA.
Identity management for Snoqualmie Valley — whether for Microsoft 365 or Google applications — goes through Azure, which made Authenticator the preferred option.
“While we don’t require them to use their personal cellphones, we explained it's the most convenient way to authenticate,” says Justin Talmadge, technology director for the district. Virtually no one requested an alternative accommodation.
As other districts have done, Snoqualmie set up its MFA so that in-building logins from networked, district-provisioned computers would not require additional authentication. However, when staff bring their own devices to school, and in anticipation of a rollout of MFA to students, Snoqualmie needed a plan to overcome challenging cell coverage so users could access their phones to authenticate.
“Connectivity can be an issue in some buildings,” Talmadge says. “We configured our networks for Passpoint, which allows some cellular carriers to operate through our Wi-Fi.”
Looking ahead to including students in the district’s MFA efforts, Talmadge sums up the lessons learned thus far.
“The technical piece is one thing,” he says. “The human element and how people interact with technology is the harder part. Getting people to change behavior isn’t easy. We're just trying to make it inconvenient for a bad actor to get in.”
