I know that a security-specific topic like this is not really something most educators have cause to be particularly interested in, but this is something that technologists, tech managers, and administrators are is forced to think about as the ongoing digital disruption of our world keeps evolving. I wanted to share this piece for the many folks who wear those hats and frequent or subscribe to our content. Much thanks to John Jennings for the post! – KW
The push for multi-factor authentication (MFA) in K-12 edtech has been a slow build, inching its way over the past five years to high-priority status for some school technology leaders. By all appearances, we may be reaching a tipping point in the MFA debate, after which the approach will move from “nice thing to have” to “non-negotiable requirement.”
Like any good edtech debate, there are pros, cons, grey areas, and awareness opportunities. What is multi-factor authentication, and what will it look like in your school district? Let’s take a look.
The Promise of MFA
Multi-factor authentication is a security approach in which a user of a system must present multiple pieces of information to verify his or her identity. In a system utilizing MFA, your password isn’t enough to get you into your account. You’ll also need to answer a question, enter a token, submit biometric evidence, or perform at least one other action.
For the purpose of this discussion, “multi-factor,” can be used interchangeably with “two-factor,” because that’s as far as most tech departments are looking at this time. The only difference between the terms is that multi-factor can mean any number of required pieces of information, while two-factor refers specifically to two.
The benefit of MFA is easy to understand—more verification steps mean more security. In the edtech world, that means mitigating the damage of password theft and phishing attacks, two of the primary sources for fraud, tampering, and data breaches in recent years.
Early adoption has featured text messaging as the preferred second authentication method—the idea being that a mobile phone is the one device most likely to be owned and accessible by nearly everyone in the district. To log in, a user must enter credentials on a web page, then input a time-sensitive code sent to his or her phone via text message. To gain unauthorized access, a person would need to steal a target’s credentials and also compromise the phone tied to the account, adding another obstacle for would-be hackers.
Security and Accessibility: Striking a Balance
As the use of MFA expands in school districts, we expect to see a cautious and variable approach to its adoption. Basic account and contact management is a challenge right now due to such a wide range of users with varying levels of digital literacy. The introduction of a new variable is almost sure to cause waves.
If large groups of students, parents, or employees have a hard time remembering usernames and passwords, how will they ever manage another step in the process? Is there a certain point where security begins to outweigh usability? Planning and communication will be key, but what other factors need to be considered?
These three categories are worthy of further discussion when developing an MFA strategy for your district:
1) Beyond SMS
Text messaging may be the standard now, but its viability as a long-term solution is not looking great. The National Institute of Standards and Technology has already sent out signals hinting at a potential expiration date for SMS authentication, especially in high-security systems. Sure, MFA via text message is better than no MFA at all, but technology departments would do well to have a multi-year plan in place.
2) All, none, or some
Some tech leaders we have spoken to are ready to go all-in on MFA for every member of their school community. Others are looking to adopt a phased approach, starting with the most sensitive systems and processes, such as grading and payroll. This decision will be a central part of any rollout plan, but it will also be dependent on the MFA solution being used—some MFA options are all-or-nothing propositions, while others offer a high degree of customization.
3) Trusted devices
Most school employees need to access the same systems multiple times per day. It’s simply not feasible to send a new text message with a new security code every single time. Trusted devices account for this issue by giving users the option to “trust” their phone, tablet, or computer for a set period of time, bypassing the second factor when accessing the same system from the same device.
Tech teams will need to consider when and where to enable trusted devices and what the “trust duration” should be. There’s also the consideration of how to mitigate “trusting” from shared devices on district property, which would defeat the purpose of MFA.
4) A positive rollout
The two most important user-driven elements of the MFA process are delivery method and contact information. Districts will need to determine how to handle those few stakeholders who do not have immediate access to text messaging and how to deliver a highly visible, straightforward process for parents, students, and staff to update contact information when cell phone numbers change. The systems where this information lives are the same systems protected by the added layer of security, so a new internal approach may be necessary.
It will be interesting to see how quickly multi-factor authentication moves from a wish list item to a required specification for the average school district. The tug-of-war between user experience and security will come with pains, but one would think that social media, banking apps, and other secure services have at least begun to desensitize the masses to MFA.
The biggest question, and one we’ll be watching closely at Skyward, is whether MFA will look the same as it does now by the time it becomes an edtech standard. Will new advancements in biometric authentication render all these considerations moot by the time most districts even get off the ground? At the speed with which technology evolves, “getting caught up” is a stretch for any organization. The trick lies in not falling too far behind.