Multi-Factor Authentication for Schools: Why MFA Is Now Required and How to Roll It Out
Multi-factor authentication (MFA) is the single most effective cybersecurity control for preventing account takeovers in schools. The DfE Cyber Security Standards (January 2023) require MFA on all staff accounts, remote access systems, and administrative platforms. Yet deployment rates across UK schools remain low — many schools still rely on passwords alone for email, learning platforms, and school management information systems. Every UK school that suffered a credential-based account takeover in the past three years had inadequate MFA deployment in common.
DfE Cyber Security Standards (January 2023) require MFA on all staff accounts. NCSC analysis shows MFA prevents over 99% of password-based account takeovers.
Why MFA Is the Most Important Control for Schools
Password-based authentication is fundamentally insecure in an education environment. Staff reuse passwords across personal and work accounts. Phishing attacks harvest credentials at scale. Password spray attacks test common passwords against thousands of school accounts. Data breaches at third-party sites expose staff passwords that are also used for school systems. MFA breaks this attack chain. Even if an attacker obtains a staff member's password — through phishing, credential stuffing, or dark web purchase — they cannot access the account without the second factor. The NCSC estimates MFA prevents over 99% of password-based account takeovers. For schools where a single compromised account can be the starting point for a ransomware attack affecting all staff and pupils, this control is non-negotiable.
Which Systems Need MFA in Schools
The DfE standards require MFA across all staff accounts and remote access. In practice, this means:
- Email: Microsoft 365 or Google Workspace accounts for all staff
- School Management Information System (MIS): SIMS, Arbor, iSAMS
- Remote access: VPN, Remote Desktop, any system accessible from outside the school network
- Financial systems: accounts payable, payroll, banking portals
- Cloud storage: SharePoint, OneDrive, Google Drive used for school documents
- Video conferencing and collaboration: Teams, Zoom administrative accounts
- Third-party platforms with staff access to pupil data
Choosing the Right MFA Method for Schools
Not all MFA methods are equal. Authenticator apps (Microsoft Authenticator, Google Authenticator) provide strong MFA that is resistant to SIM-swap attacks. SMS-based MFA is weaker but significantly better than no MFA. Hardware security keys (YubiKey) provide the strongest protection but are more complex to deploy at school scale. For most schools, authenticator app MFA deployed through Microsoft 365 or Google Workspace conditional access policies is the right balance of security and usability. Schools should plan for staff who do not have smartphones — hardware tokens or alternative methods should be available.
Managing Staff Resistance to MFA
The most common barrier to MFA deployment in schools is staff resistance — the perception that MFA is inconvenient and disruptive. Effective change management includes: communicating the reason for MFA in accessible, non-technical terms; providing clear setup instructions and in-person support sessions; allowing a phased rollout starting with high-risk accounts; and configuring MFA with sensible session persistence so staff are not prompted repeatedly throughout the day. Modern MFA configured correctly is far less disruptive than a ransomware attack.
Frequently Asked Questions
Is MFA free for schools using Microsoft 365 or Google Workspace?
Yes — both Microsoft 365 Education and Google Workspace for Education include MFA at no additional cost. Microsoft 365 includes security defaults that enable basic MFA, and more advanced conditional access policies are available in higher licence tiers. Google Workspace for Education includes 2-Step Verification for all accounts. The main cost of MFA deployment is staff time for configuration and user support during rollout.
What if a staff member loses their MFA device?
Schools should have a documented account recovery process. This should include a secure way for IT to verify staff identity without the MFA device, and a way to reset the MFA registration so a new device can be enrolled. Microsoft 365 and Google Workspace both have administrative procedures for account recovery. Schools should not maintain a list of bypass codes or create MFA exceptions for specific staff — these create security gaps that attackers exploit.
Do pupils need MFA?
The DfE standards focus on staff accounts — MFA for pupils is not explicitly required. However, for students in sixth form and further education colleges who have accounts with access to sensitive systems, MFA is beneficial. In universities, MFA for all student accounts is standard practice. The main consideration is the sensitivity of data accessible from student accounts and the risk of those accounts being compromised.
Help rolling out MFA across your school or MAT
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.