Security

Why Multifactor Authentication Should No Longer Be Optional in K–12

Implementing MFA at schools can guard against cyberattacks. Here’s how to set it up.

Twitter

April Mardock has supported cybersecurity and IT in 132 companies. She is well versed in multilayered, complex environments and serves as the CISO for more than 60,000 users at Seattle Public Schools.

Anyone who uses online banking these days probably gets multifactor authentication prompts, usually via a text message or authentication app, although fingerprint scans and facial recognition are becoming more common. Users may not like the additional validation prompts, but they understand the function and the need to verify access to sensitive accounts with something stronger than a password.

Until recently, MFA remained a hotly debated subject in K–12 education circles, but cybersecurity insurance carriers are now requiring school districts to use the technology to prevent ransomware and other cyberattacks.

MFA was originally seen as too expensive and complex for districts to manage and operate, especially in classroom environments. Why? Districts do not have the extra funds or extra employees to manage it. Changes that impact the classroom can require more than a year of planning, take away from productive classroom teaching time, and require input from community and unions to be successful.

Click the banner below to stay updated on K–12 cybersecurity news when you sign up as an Insider.

Still, MFA can make a very real difference. When President Joe Biden met with key executives from technology companies last year, they noted that multifactor authentication can help prevent 80 to 90 percent of cyberattacks.

Unfortunately, cyberattacks including ransomware, data breaches and business email compromises remain clear threats to K–12, as noted in a 2021 report from the K–12 Cybersecurity Resource Center and the K12 Security Information Exchange. In 2020, the report shows, the number of disclosed K–12 incidents grew from 49 in the first quarter to 132 in the fourth quarter.

Consider Options for Your District

What can you as a K–12 administrator do as you wait for funding, additional employees and approvals? First, you may be pleasantly surprised to learn that the vendor you already use for sign-on (Microsoft, Google, etc.) may already have an MFA solution ready to go, with minimal or no additional licensing costs.

MFA functionality runs the gambit from cheap (but perhaps more difficult to configure) to expensive (and more streamlined). Both Microsoft and Google offer inexpensive authentication solutions that are common in K–12 environments and offer MFA as part of existing license agreements. If you want more advanced features, such as conditional access, they will cost extra.

Other vendors also provide advanced services in this space while maintaining ease of use. Cisco Duo offers features such as an MFA self-service portal and simplified deployment. Larger organizations may be interested in Okta, as it can provide full identity roles management and detect viruses based on suspicious behavior.

LEARN MORE: What is OpSec, and how can it help K–12 districts?

Stage MFA Based on Priority Groups

Much of the risk to a school district boils down to two things: theft of information and destruction of resources. You should address influential and high-risk accounts with MFA first, then move on to stage MFA for your other users.

In my district, Seattle Public Schools, where we have 52,000 students, we used a phased approach to implement MFA. I recommend you do the same, and I suggest that you address district groups in the following order:

Start with your IT staffers, so they can work out the bugs. Next, leverage your annual phishing exercises and apply MFA requirements to those who fail. Then, require MFA for accounts that control sensitive data and money, such as payroll, HR and accounts payable. School board members, principals, and executives with authority and trust should go next. Last, require MFA for classroom teachers and remaining staffers. Students can opt in to MFA.

Don’t forget to activate MFA for the school social media apps such as Twitter and Facebook.

Ease Adoption Through Advanced MFA Options

If you pay for more advanced MFA options, you could also choose to block MFA prompts when the account is being used from a campus location. This on-campus exemption approach increases risk somewhat but also greatly increases acceptance and adoption.

GET THE CHECKLIST: Use these five steps to secure student data.

Also, get your union leadership involved early in the testing and planning stages, so it can guide your work. Ours was immensely helpful both in helping us tune our communications and craft an appeal/exception process.

Educate Staff on the Risks of Stolen Passwords

How do you convince people to use MFA if your cyber insurance carrier mandates it? Invite them to visit this eye-opening site: haveibeenpwned.com using test@test.com as well as their own email accounts. (Yes, it is a trustworthy website.)

Over the past 10 years, both League of Legends and Evite have seen major thefts of K–12 passwords. Wide-reaching cyberattacks accomplished via bugs like Heartbleed and vulnerabilities like Log4Shell continue to threaten vendors and websites on a regular basis. The Spam Auditor blog reports that large volumes of passwords are being sold on the dark web.

Because of COVID-19, more district staffers are working remotely. If a district exposes tools like VPNs or remote access without MFA, it increases the chance of a districtwide ransomware attack. At any point, you should assume more than 7 percent of your passwords have been stolen and can be used against you.

It is worth reminding staffers that stolen district account passwords can potentially be used remotely to change grades, redirect paychecks to criminal bank accounts, and search the district’s shared files for sensitive data to use in ransom and blackmail threats.

MORE ON EDTECH: What will happen after CISA's K–12 Cybersecurity Act review?

Donna Grethen/Ikon Images