Cyber Security Matters in Schools
Why Implement MFA?
- Enhanced Security: MFA significantly reduces unauthorised access risks by requiring additional verification beyond passwords.
- Regulatory Compliance: Many cybersecurity guidelines now recommend or mandate MFA for educational institutions.
- Protection of Sensitive Data: Schools manage confidential student and staff records, making secure authentication a necessity.
- Mitigating Cyber Threats: MFA helps defend against phishing attacks and stolen credentials, preventing costly security breaches.
MFA Option | Description | Potential Additional Costs | Product Examples |
|---|---|---|---|
SMS-Based Authentication | Users receive a one-time code via text message to verify their identity. | Low-cost option but may require integrating SMS services, with minor carrier fees. | Microsoft Entra MFA via SMS, Google 2-Step Verification via SMS. |
Authenticator Apps | Generates temporary login codes on mobile devices for authentication. | Free apps, but may require training and support for staff and students. | Microsoft Authenticator, Google Authenticator, Authy. |
Biometric Authentication | Uses fingerprints or facial recognition for identity verification. | Requires specialized hardware (fingerprint scanners or cameras), increasing upfront costs. | Windows Hello, Apple Face ID, Android Biometrics. |
Physical Security Keys | A small physical device used for verification during login. | Requires purchasing security keys, estimated at £30-£50 per user. | YubiKey, Google Titan Security Key, Feitian Security Keys. |
Email-Based Verification | Sends an authentication code to registered email accounts. | No direct cost but relies on secure email systems with proper spam filtering. | Microsoft 365 email authentication, Google Gmail MFA. |
Microsoft and Google MFA Options
MFA Option | Description | Device App or Browser App | Microsoft Licence Requirement | Google Licence Requirement | Potential Additional Costs | Examples |
|---|---|---|---|---|---|---|
Conditional Access Policies | Enforces risk-based authentication based on user, device, and location. | Works across device apps and browser apps. | Microsoft Entra ID P1/P2 (previously Azure AD Premium). | Google Cloud Identity Premium. | Licensing costs depend on existing agreements. | Microsoft Entra Conditional Access, Google Cloud Conditional Access. |
SMS-Based Authentication | Sends a one-time code via text message for verification. | Browser app and mobile app compatible. | Available in Microsoft Entra ID Free. | Available in Google 2-Step Verification. | Minor carrier fees may apply. | Microsoft Entra MFA via SMS, Google 2-Step Verification via SMS. |
Authenticator Apps | Generates temporary login codes on mobile devices for authentication. | Device app-based authentication. | Included in Microsoft Entra ID Free. | Included in Google Workspace. | No direct cost, but training may be required. | Microsoft Authenticator, Google Authenticator. |
Biometric Authentication | Uses fingerprints or facial recognition for login verification. | Device app-based authentication (requires compatible hardware). | No specific licence required unless integrated with Conditional Access. | Integrated into Google Advanced Protection Program. | May require biometric hardware. | Windows Hello, Apple Face ID, Google Biometrics. |
Physical Security Keys | A hardware key used for secure authentication. | Works with browser apps and device apps via USB or NFC. | Supported in Microsoft Entra ID P1/P2. | Supported in Google Workspace for High-Security Access. | Security key purchase (~£30-£50 per user). | Yubikey, Google Titan Security Key. |
Email-Based Verification | Sends an authentication code via email for login verification. | Works primarily with browser apps. | Available in Microsoft Entra ID Free. | Available in Google Workspace. | No direct cost but depends on secure email filtering. | Microsoft 365 email authentication, Google Gmail MFA. |
Passkeys Authentication | Eliminates passwords, using device-based authentication. | Works on both device apps and browser apps. | Passkey support integrated into Microsoft accounts. | Available in Google Passkeys. | No direct cost but requires device compatibility. | Windows Hello, Android Passkeys, Apple Passkeys. |
Here's a breakdown of the advantages and disadvantages of each Multi-Factor Authentication (MFA) option:
MFA Option | Advantages | Disadvantages |
|---|---|---|
SMS-Based Authentication | Easy to set up and widely accessible. No additional apps or hardware required. | Vulnerable to SIM swapping and phishing attacks. SMS messages are not encrypted, making them less secure. |
Authenticator Apps | More secure than SMS-based MFA. Works offline and does not rely on mobile carriers. | Requires users to install and configure an app. If a device is lost, access may be difficult without backup codes. |
Biometric Authentication | Highly secure and convenient. Difficult to replicate or steal. | Requires compatible hardware (fingerprint scanners or facial recognition cameras). Privacy concerns regarding biometric data storage. |
Physical Security Keys | Extremely secure and resistant to phishing attacks. No reliance on mobile networks or passwords. | Requires purchasing security keys, which can be costly. If lost, recovery can be challenging. |
Email-Based Verification | Simple to implement and does not require additional hardware. | Vulnerable to email account compromise. Relies on email availability, which can be affected by outages. |
Conditional Access Policies | Provides dynamic security based on user risk, device, and location. Reduces unnecessary authentication prompts. | Requires advanced configuration and licensing (Microsoft Entra ID P1/P2 or Google Cloud Identity Premium). May require IT expertise. |
Passkeys Authentication | Eliminates passwords, reducing phishing risks. Works across multiple devices seamlessly. | Requires device compatibility. Adoption is still growing, and not all services support passkeys yet. |
Each option has its strengths and weaknesses, and the best choice depends on your school's security needs and budget.
