Setting up two-factor authentication in schools – information for IT leads and principals
School or kura accounts and systems that hold a lot of information or are internet-based should be protected by two-factor authentication.
Why it matters
Two-factor authentication (2FA) is the strongest way to keep cyber attackers out of school accounts. It’s sometimes referred to as multi-factor authentication or two-step verification.
According to Microsoft and Google, it can prevent up to 99% of untargeted attacks from happening. It’s a crucial control measure to protect data and information at your school or kura.
It's most important for accounts or systems that store important, sensitive, or confidential information, including:
- email accounts
- financial accounts
- student management systems (where possible).
If attackers gain access to these accounts, they can:
- use email addresses to change passwords on other accounts
- send emails, like invoices, from the school's account
- access, steal or copy and sell financial data or sensitive information about students
- infect devices with malware or ransomware.
Although 2FA can feel like a hassle for users, it's far more hassle to have to clean up after a cyber attack. It's a small inconvenience to protect student information and school or kura accounts.
Make 2FA mandatory for admins
We very strongly recommend that you turn 2FA on for all admin accounts. We also recommend you enable it for other staff and students.
- Good = mandatory for admin accounts
- Better = mandatory for high-risk accounts and opt-in for other staff accounts
- Best = mandatory for all admin and staff accounts and enabled but optional for students.
Admin accounts are those that can add access for others, or delete files or access. High-risk accounts include admin accounts and any staff who have access to sensitive data and/or pay invoices – like your finance manager, payroll admin, and principals.
Allow any method of 2FA
Any kind of 2FA is better than no 2FA. Use the option that works best for your school.
- Good = text-based (SMS) 2FA.
- Better = authenticator code (using an app like Google Authenticator, Microsoft Authenticator or Authy) or security key (like a Yubikey).
- Best = biometrics (fingerprint or facial recognition).
SMS is the least secure of the 2FA options – attackers have managed to get past it in New Zealand. But it is still much better than just a password. Use any method of 2FA that you're able to implement – but if you can, implement 2FA using an app, security key or biometrics.
Start with the most important systems
Start with the systems that hold personal information, large amounts of data and files that are required for your school or kura to operate.
You may not be able to implement 2FA on all your school systems – find out which ones have it available. If there are important systems that don't have it as an option, speak to the provider about implementing it.
As a starting point, implement it on:
- productivity software (like Google Workplace or Microsoft 365)
- bank accounts (most banks require 2FA, so it should already be set up)
- email accounts.
If it's an option for your learning management system and/or student management system, turn it on there too.
Rolling 2FA out at your school or kura
To roll out this change in your systems, such as Microsoft or Google, you’ll need to have admin access to the system to be able to make the changes.
- All change gets some getting used to. Start by talking to staff about what it is and why it’s important.
- Enable 2FA in the console if you haven’t already. This means users can turn it on when they’re ready.
- Give them a grace period to get sorted – two to three weeks. In the meantime, you can track which staff have enrolled and which haven’t. You may need to walk through the process with a couple of people or give them a reminder.
- Start enforcing 2FA after your grace period. Remember to keep communicating with your team about the process.
What to include in your 2FA policy
Create a short policy about 2FA use at your school or kura. You should include:
- role requirements – which roles may be mandatory and which are optional
- which methods you use at your school or kura
- which systems have 2FA implemented and which roles have access.
If your school or kura doesn't have a cyber security policy, work with the board of trustees to complete a risk assessment and develop a policy.
Last reviewed: Has this been useful? Give us your feedback