Implementing Multi-Factor Authentication

Bobby Bardenhagen, Marin Country Day School (CA)

Our recent webinar with Bobby Bardenhagen yielded a wealth of information about implementing multi-factor authentication (also called two-step verification) to bolster cybersecurity at his school. Below you will find notes from the webinar, as Bobby shared his personal journey and offered guidance for others who might be considering instituting this important security step. ATLIS members may access a video of the webinar here. -- SD

Poll: Have you implemented multi-factor authentication at your school?

As I began to use Google apps personally and as we began to incorporate them into our school, I saw the need for incorporating two-step verification to protect both my personal account and the school network. As we began to store more and more data, I purposefully sought to stay informed about data breaches and protection against them.

It’s important to take the initiative and be informed -- you need to know what may be coming your way in the area of cybersecurity. Luckily, I was already pretty well versed in the steps we needed to take when an event happened at our school. Also, in a general sense, I worked intentionally to gain the trust of my administrative team beforehand. So when a phishing scam appeared on our campus, I was able to build on that social capital I had already established with our administrative team. As they voiced concern about a wire fraud attempt, I saw the chance to step in with some just-in-time solutions.

Implementation

Working with Google made the process of implementation of two-step verification work smoothly. Finding the right partner ahead of time who can support your efforts to secure your data makes a huge difference. We worked with the Google team in the summer to prepare for the roll-out of two-factor verification. The Google team shared important resources for our faculty, so we didn’t really have to make anything ourselves. 

We set up a two-month clock for implementation, focusing a lot on communication because we knew it was important to our success. We deliberately worked to present the introduction of two-step verification as simply and calmly as possible.

We gave our users a choice for how to use the two-step verification process.They could use their phone to receive a SMS authorization code, print out an authorization code, be contacted by telephone, or request a physical authentication key (Yubikey) from the technology staff. We found SMS to be the easiest method for most faculty and staff, but we are now working to move users over to using YubiKey as the only method for authentication.

The importance of the socialization of the idea of multi-step authentication cannot be stressed enough. This socialization should include face-to-face meetings as well as one-on-one conversations with users. This gives the chance to offer a motivational pep talk. We leveraged the YouCanBookMe app so our users would feel supported by the tech staff. Personalization is important too. We even helped one person who had zero reception at home to find the right solution for him. Because our team was centrally and publically located in the lobby of the library, we could easily flag down the people we needed to talk to personally.

The Importance of Human Connection

Requiring frequent changes of passwords for our teacher-web interface opened the door for conversations around and implementation of multi-step authentication initiatives. Face-to-face time is critical prior to your roll-out. This provides an opportunity to ask questions, allow stakeholders to share their dissent and be heard, and invite conversation about the process.

It’s also important to provide frequent and repeated training. Target those who are having trouble and provide one-on-one coaching and assistance.

One thing we realized was that we were modeling for students how to be safe with data and devices. Ultimately, both students and faculty began asking for information about how to implement two-step or multi-step authentication on their personal devices.

Final Thoughts

Take action before you have a security breach. It’s always better to be intentional in your planning and not to feel rushed by an urgent situation. Even though we were somewhat early adopters, I wish I hadn’t waited so long.

Resources 

Google, “2-Step Verification”

YubiKey

YouCanBookMe

Cloudlock.com

ssoeasy.com

Share this post:

Comments on "Implementing Multi-Factor Authentication"

Comments 0-5 of 0

Please login to comment