COVID Access: The Importance of Multifactor Authentication During Remote Learning#Security
by John WilkinsonRead time:
Multifactor Authentication and Preserving Security for Remote LearningCOVID-19 has accelerated the remote access challenges school districts are facing due to cloud services and integrations. While students and staff have increasingly adopted cloud-based edtech resources, access still typically occurred on school grounds and within the network before infection concerns. With significantly reduced access to physical school locations and increased remote learning, education IT teams now have to juggle secure access originating from outside the network in addition to existing cloud challenges.
Implementing an adaptive multifactor authentication (MFA) solution is one method for rapidly bolstering remote access security without overly burdening end users.
What is MFA?Simply put, MFA requires two or more separate steps to complete a login. To complete a multifactor authentication process, you must provide specific credentials or meet certain conditions at each stage.
Many people who utilize online banking and financial services are already familiar with MFA. Typically, this process involves receiving an SMS or email containing a PIN after successfully entering their username and password. Beyond IT, you can think of the PIN code associated with debit cards as a type of MFA. You need both the card and your PIN to complete a transaction as a security measure; trying to use one exclusive of the other gets you nowhere.
When it comes to general user authentication, MFA can take many forms. Aside from the already mentioned SMS and email PIN codes, some common MFA methods include:
One-time passwords (OTP): One could argue this includes SMS and email, but also covers the use of “authenticator” apps/client downloadable to smart devices such as HelloID Authenticator, Google Authenticator, or Sophos. These apps/clients connect to the login processes for specific resources and display the OTP value for a fixed period (e.g., 60 seconds). The OTP only remains valid during the specified period and changes to a different, randomized value after the timer resets.
Push notification: Somewhat similar to OTPs, push notifications require a smart device in addition to the computer, laptop, etc. used for logging in. Push notifications pop up on the smart device and the user simply taps the confirmation to complete their authentication.
Physical tokens: A physical token can be anything from a simple badge with a printed QR code to more sophisticated USB devices that must be plugged into the device used for logging in.
Additional MFA factors can be accounted for, such as the date/time the login occurs (i.e., only possible during specific windows) or requiring biometrics (e.g., fingerprints).
Importance of MFA for EducationEdtech and other classroom technology resources usually receive the majority of attention regarding a school district’s or higher ed’s IT capability. At first glance, many may not think much of the value of data stored in education environments. However, schools must store significant Personally Identifiable Information on students, staff, and possibly parents, not to mention the typical HR and financial data (e.g., facilitating direct deposit) on all employees. The sensitivity of data in an education IT environment is far more critical than it may first appear.
With the rise of remote learning, users must be able to access their resources from outside the school’s network. This requires cloud resources and remote desktops/VPNs to facilitate. Strict authentication methods must be put into place to safeguard this access, but security isn’t as strong as you think it is if a username and password are all that’s required.
Many users suffer from poor password management (or login processes that incentivize such as workarounds). Simple and easily cracked, guessed, or socially engineered passwords remain common to prevent users from forgetting their credentials. Some people write down all of their passwords in a notebook or document on their device. It’s especially common for people to reuse a password for many, if not all, of their various logins. If credentials become compromised from the apparent lax security used in these methods or if a device or work bag is stolen, all of that access becomes compromised. Your entire IT environment may become vulnerable if a user’s password to an online retail store is compromised simply because they reused it for their school logins.
Aside from poor password management, school districts have no control over their remote users' personal network security. You may have enforced extensive security measures, but your users are connecting to the school’s IT resources over an unsecured network at home, from a coffee shop, or from another public location.
Remote Access SecurityBy implementing MFA, you ensure that there are additional safeguards in place should any of your users’ credentials or network security become compromised. Simply having their username and password won’t be enough for a hacker to intrude into your school district’s IT environment. MFA may require an additional step, but its ease of use and adoption are simple. Compared to other restrictive security efforts that overly complicate logins and frustrate users, having to quickly type in a PIN, tap a push notification, or plug in a USB token is a super simple process to secure logins.
For particularly strong authentication, MFA can be combined with cloud single sign-on (SSO) to consolidate various third-party resources into one secure dashboard. Depending on your cloud SSO, you can implement MFA at both the initial portal login and the individual cloud resources, depending on the sensitivity of data stored within.
To learn more about how MFA can benefit your school district, visit the Tools4ever website!
Follow-Up Resource: Be an Unstoppable SchoolFor practical advice on eLearning, keeping your data and schools safe during the pandemic, and more, visit skyward.com/unstoppableschools!
|John Wilkinson Senior IDaaS Technical Writer at Tools4ever