MFA works. So why isn't it available for every student?

Multi-factor authentication, or MFA, has become a common solution to the weakness of username and password-based security. In addition, it is a common mitigation adopted by various security frameworks such as NIST, ISO 7001, the Essential Eight and PCI DSS.

It is no surprise then, that most of us use MFA daily in one way or another. However, it's alarming that most K-12 students still rely solely on usernames and passwords despite MFA being a crucial cyber security recommendation. 

It is accepted that deploying conventional MFA can be challenging due to usability issues, cost, and administrative overheads. However, the main impediments against students using MFA seem to be common misconceptions. Including:

  • Schools are not a target for cybercrime; 
  • Student data is of low value to hackers; and, 
  • MFA is too complicated for K-12 students and will impact the learning experience.

Let's examine these reasons more closely to see if they hold up.

Misconception 1: Schools are not a target for cybercrime

It may not be obvious, but cybercriminals do not limit their focus to large organisations and financial institutions. Educational institutions, including schools, are also vulnerable to cyber-attacks. In fact, according to a recent report by Check Point Research, schools and other educational institutions worldwide experience the highest number of cyber-attacks compared to other sectors. For instance, in 2023, a data breach in Tasmania leaked 16,000 documents, including school children's information, on the dark web. 

The primary reasons why schools are targeted are twofold. Firstly, some large schools have a large attack surface due to the significant number of students they have. Secondly, schools handle a substantial amount of money and sensitive data, including, in some cases, information on high-net-worth parents, which makes them an attractive target for cybercriminals. 

Schools are also considered easy targets due to their limited IT budgets and the impact this has on their ability to keep up with zero-day attacks.

Silent MFA for Schools

If we have agreed that MFA is essential for teachers and employees, then why aren't we making it available for students?

Misconception 2: Student data is of low value to hackers 

While academic records may not be the primary objective for hackers, the personal information of minors can be misused to commit identity theft and financial fraud according to Doug Levin, the founder of K-12 Security Information Exchange.  

Additionally, student accounts can serve as a gateway to access other accounts, given the abundance of information that can be found in their inbox from other students, staff, teachers, and parents. 

According to Nigel Phair, director of University of NSW Cyber Canberra, identity thieves start with some of a victim’s credentials and build on that to get more identity information.

Misconception 3: MFA is complicated for K-12 students and will impact teaching.

One misconception surrounding MFA is that it is too complex for K-12 students and may negatively impact their learning experience. Microsoft has cautioned against enabling MFA for elementary, middle, and high school students, citing the limited potential for account compromise and damage by bad actors. Additionally, Microsoft argues that younger students may not have access to a second form of authentication. 

While this advice contradicts the advice that Regulators are communicating to the public, it is understood that Microsoft have developed this view specifically as it pertains to conventional MFA solutions like SMS and authenticator aps. A modern MFA solution that protects students without disrupting their learning experience should be sought. 

So, what is the alternative?

At Haventec, we firmly believe that every student deserves proven protection from cyber threats. This is impossible in a school environment with conventional MFA given they rely on the student having access to a mobile phone. That's why we've introduced Silent MFA for Schools - an innovative, patented technology that effectively mitigates phishing and other cyber attacks. What's more, it's completely invisible to the students – they simply enter their username and password (just like they do now)... 

Haventec Silent MFA, provide students with the same level of protection as teachers and employees. With cyber security incidents increasing, and children being targeted, it has never been more important to act.

Learn more about Haventec Passwordless MFA