SB 820 & COVID-19: Why MFA Must Be Part of Cybersecurity for Schools


Smiling mother and her daughter using a notebook in their kitchen

While there is no user group that is safe from data breaches, K-12 is particularly vulnerable right now. In North Dakota alone, the state network used by K-12 schools, state universities, and other public agencies experience 5.7 known cyberattacks every month. Data breaches are not uncommon, and districts are limited in the measures they can take due to budget constraints.

In a push to address growing cybersecurity concerns, Texas has passed SB 820. Effective September 1, 2019, each Texas school district must adopt a cybersecurity policy to secure district cyberinfrastructure against cyber attacks and other cybersecurity incidents, and determine cybersecurity risk and implement mitigation planning.

While it’s heartening to know that cybersecurity is becoming more and more prevalent in the minds of K-12 technology leaders, the industry is still slow to respond to threats. At the moment, K-12 is mostly reactive in regards to privacy practices. 

Due to limited resources for IT and cyber security, threat actors see school districts as easy targets. The result? Districts finally execute security enhancements, but at that point it may be too late. The average cost to address a data breach is $246 per record in educational institutions. In a smaller school district, the cost can end up hitting taxpayers’ wallets hard, further fueling bad press.

In a world where students’ personal data is worth more than the average cost of their tuition, what can districts do to keep their data protected? Adopting stricter authentication policies is a great first step. 

However, there are still too many districts who are depending on outdated authentication methods to verify identities. K-12 no longer has the luxury of viewing security measures, such as Multi-Factor Authentication (MFA) as something that’s “nice to have.” The time to implement MFA is now.

What is MFA and How Does it Strengthen District Security?

To better understand MFA, we must first define what authentication is. Authentication is a process used to prove a person is who they claim to be. There are two steps to authentication: identification and verification.

  • Identification: The user presents the claimed identifier to the identity system or application. The most common identifier is the standard username (e.g. jdoe). 
  • Verification: The user must prove they are who they say they are. This is done by providing or generating information that verifies the binding between the information and the identifier. The most common method used for verification is the standard password (e.g. MySecretPassword_123!).

For most districts, authentication still means single-factor authentication in the form of a username and password. However, passwords are inherently insecure and can be forgotten, stolen, or cracked, even with the best password policies in place. In fact, 80 percent of accounts requiring simple username and password authentication methods will be compromised. On top of that, K-12 is often the target of phishing attacks. In a recent EdTech Magazine study, more than half of K-12 CTOs said phishing is a significant problem.

Even with the mounting cyberattacks and the weaknesses of passwords being so well-known, K-12 is still behind the curve in terms of cyber security. For the most part, only larger districts have implemented some level of multi-factor or two-factor authentication. So what is MFA?

NIST SP 800-63-3 DRAFT defines MFA as a characteristic of an authentication system or an authenticator that requires more than one authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors.

The three authentication factors are

  • Something you know (e.g. password)
  • Something you have (e.g. token)
  • Something you are (e.g. fingerprint)

For example, when a teacher accesses a new application and needs to input an access code along with username and password credentials, that is an example of MFA. In this article, we’ll use the terms “multi-factor” and “two-factor” authentication interchangeably, as most school districts aren’t using true multi-factor authentication that leverages all three authentication factors at this time.

The strength of MFA stems from the use of multiple authentication factors. For example, layering a username/password with an ID badge scan or push notification enhances security because even in the event the user’s password is compromised, the thief still wouldn’t have the second authentication factor.

Your Current Security Posture Isn’t Enough. The Time for MFA is Now.

We’re seeing how districts are modifying instruction in response to COVID-19. Schools are closing their campuses and opening their doors to remote learning. Unfortunately, this is a prime opportunity for cyberattackers to take advantage of any lapse in data security.  With the new perimeter of learning being outside classroom walls, districts should be cracking down on how users are able to access their information. 

Some districts might shy away from implementing MFA across all users for fear of affecting usability for the student population. In fact, many districts might consider MFA for faculty and administrative accounts, but stop short of students, parents, and external users. This is only a partial solution though. The remote learning movement starkly highlights the fact that any and all accounts need additional protection.

With that in mind, it’s important to make note of K-12’s user base. K-12 is unique in that they have varied user populations, each with different levels of digital literacy. On top of that, each user group needs different levels of access, including access to different programs. Everyone needs standard access, but authentication systems should be flexible enough to tailor MFA methods used to each user type.

Therefore, it’s crucial to find an MFA solution that offers flexibility and a wide breadth of authentication, so that each of these different user groups and levels of access can each be appropriately addressed with the right level and types of authentication in order to avoid negatively impacting usability. 

For example, parents might be logging in to school resources more frequently now, and this could increase help desk burden as parents struggle with school-provided passwords. Augmenting this with enhanced password self-service or MFA models that support “passwordless” authentication can reduce friction on these new identities. 

However, younger students need a significant amount of access to school applications, but don’t always carry cell phones or have a personal email account. In those instances, using a pictograph would be a more reliable and kid-friendly form of authentication.

There is no question that MFA is no longer something to research and consider as a possibility, the time to adopt MFA is now. However districts choose to implement MFA, it’s plain to see that MFA can be a simple solution that mitigates the risk of private information falling into the wrong hands. 

As with any approach to security, success in MFA requires good communication with the user population, and a consideration to the end user experience. This is especially true in K-12 where, in a remote learning and remote access world, many users suffer economic challenges that preclude them from leveraging smart devices.

Avoid Becoming the Next Breach Statistic with MFA

Cyberthreats aren’t going anywhere soon. As long as user data remains valuable, intruders will try to find a way to access sensitive data. Now more than ever, school districts need to acknowledge the real threat of cyberattackers and be proactive in meeting the needs of their users with security in mind. 

With remote learning becoming K-12’s new normal and SB 820 legislation in place, MFA needs to become a critical piece of your district’s security strategy. Furthermore, MFA needs to be flexible enough to meet the needs of your district’s varied user population without negatively impacting usability. After all, one-size-fits all MFA rolled out to only faculty and administrator accounts is only a partial solution.

New call-to-action


Subscribe Here!