Multi-factor Authentication Deployment in Higher Education
The education sector faces a growing complex of cybersecurity threats. The industry has been under high attack for several years already, with phishing, ransomware and denial-of-service attacks growing in frequency and ferocity. But what has blown the gates off is the forced move to remote and online learning in response to the health pandemic that began early in 2020, resulting in data breaches being more common.
Data breaches result in unauthorized access to details on students, educators, and school operations, and can be caused by human error within an institution, a cyberattack on an institution, or a data breach at a third-party vendor that holds data from across tens, hundreds, or thousands of institutions.
Compromised data on students and educators is often sold for tax fraud, identity theft and other scams. Examples of data breaches in the education sector include:
- In 2020, a phishing attack at Syracuse University in September resulted in the threat actor gaining access to an email account belonging to an employee of the university. The email account contained personal data on 9,800 Syracuse University students, alumni, and applicants. The post-breach forensics investigation was unable to determine if the unauthorized party ever viewed the personal information in the email account.
- In 2021, when Shorewood School District responded to an open records request from a parent for data on a recent survey, it mistakenly included personal information on the student respondents, including data types such as student name, ID number, school, gender, and ethnicity.
By auditing databases for compliance, establishing standards and cybersecurity policies, controlling user access, and using real-time database monitoring, schools can protect their critical data against breaches. One of the most critical first steps to implementing any cybersecurity strategy is multi-factor authentication (MFA) for all accounts, to mitigate the risk of data breaches and being compromised by threat actors.
GRAND VIEW UNIVERSITY MFA EXAMPLE:
Imagine yourself in a leadership role at a college, with thousands of employees and students who do not have the MFA option. Such was the case for Grand View University. In a PortalGuard webinar co-hosted by Eric Link, Systems Administrator for Grand View, the adoption of PortalGuard’s identity management solutions, including Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR), and their positive impact on the University are examined.
Without Multi-factor Authentication
Grand View University did not have requirements in place for password expiration or complexity. Most of the staff had been using the same password for nearly a decade — and some for even longer. Password resets and changes simply did not exist at the time for Grand View users. The only time a password change occurred was when a user knew about the archaic method of pressing “Ctrl + Alt + Delete” and clicking “Change Password.”
Not only were Grand View University’s users more likely to forget their passwords for their many applications (including SharePoint 2013, Exchange, Blackboard, Ellucian), but they were also at greater risk of having their personal information breached. Since their logins were not standardized for their many apps and multiple login pages, they had many username discrepancies.
With Multi-factor Authentication
Rather than entering the password for a particular app, Grand View users needed to provide a one-time passcode (OTP) from one of their authentication methods (Email, SMS, Mobile Authenticator, YubiKey) to access all their applications. Prior to implementing SSPR, Grand View’s help desk received 40+ daily calls for password resets and assistance. With PortalGuard, they were able to reduce their daily calls to fewer than 10. Today’s users can provide the help desk with their OTP to assist with a password reset.
Through MFA, Grand View University blocked the majority of automated attacks and mitigated the risk associated with static passwords. Now, students, faculty, and staff have strengthened their account logins, furthering blocking threat actors from compromising data.
Types of MFA Approaches
Several approaches are available for multi-factor authentication for education, including sending a unique one-time code by text message or email, using an authenticator app on a mobile phone, relying on a hardware security key, or biometric authentication. However, each method needs to be evaluated for security and usability pros and cons for users.
For example, there are practical and security concerns in relying on text and phone-based methods, including poor cell coverage areas and reliance on personally owned mobile phones. Several sophisticated attacks have compromised systems relying on codes delivered by authenticator apps too.
Hardware security keys that support modern authentication protocols such as FIDO2/WebAuthn cannot be phished and are proven to stop account takeover attempts.
While biometric authentication is the only authentication method that can verify the identity of the individual requesting access (versus the use of a stolen key or token). It does not require the user to carry any additional devices and cannot be used for unauthorized delegation (aka sharing credentials).
Flexible Options for Students, Faculty, and Staff
Administrators run into problems when it comes to users accepting and adopting MFA when their MFA solution is limited in the authentication methods it can offer. PortalGuard gives the administrators the flexibility they need to implement secure authentication that students, faculty, and staff will be happy to adopt. For example, a student going to Blackboard authenticates with a one-time password (OTP), a username, and a password. However, a staff member accessing a financial application will be prompted to provide a biometric factor. Administrators get to decide using security policies, which methods are enforced and made available for users to choose from during their login process.
MFA should be used everywhere by everyone, but one-size-fits-all approaches do not work; instead, configure security policies to give users appropriate options. When it comes to privileged access—e.g., staff and faculty accessing systems containing sensitive information on students and staff, or finance personnel accessing systems for approving invoices or making payments—hardware security keys or biometric authentication should be used.
Overcoming Objections in Education
The main objections to MFA can be overcome with convenience in mind. Convenience with multi-factor authentication for education requires supporting multiple options in security policies so that if the primary authentication method is unavailable, appropriate alternatives exist for the student, staff, or faculty member. There will be times and situations when a mobile authenticator is not available (e.g., a student loses their phone), or a device does not have a fingerprint reader, or there is no cell coverage for receiving SMS codes, and thus multiple valid options are essential.
See the State of Multi-factor Authentication
With multi-factor authentication being more common in many institutions, more organizations are looking to implement MFA into their own to mitigate security risks. However, implementing MFA is easier said than done, and many schools may have a hard time finding a solution that works for them. Therefore, we have developed an in-depth MFA survey that determines how organizations manage security, authentication, and see decision makers’ attitudes toward various authentication methods including Zero Trust for education, passwordless approaches, and biometrics.