K-12 Multi-Factor
 Authentication Guide

This guide was created to help IT leaders in K-12 create a proven step-by-step strategy for
planning, selecting, and deploying Multi-Factor Authentication (MFA) districtwide.

From mounting ransomware threats, to skyrocketing cybersecurity insurance premiums— Multi-Factor Authentication (MFA) is no longer a "nice to have". But, how do you actually deploy MFA successfully across K-12’s diverse user groups?!

This guide, not only breaks down the what, the why, and the how of implementing districtwide MFA— but also strategies successfully leveraged by other K-12 districts.

Complete the form below for a full PDF version of our  K-12 MFA guide, or keep scrolling to read highlights.


Who is this guide for?

This guide was created to help K-12 IT professionals develop an MFA strategy that balances enhanced security with ease of use. It is specifically relevant for IT leaders— everyone from the CTO, to the Director, to front line members of your district's IT team.

Your team is tasked with providing a secure, reliable, and flexible learning environment for a complex and constantly changing user base. While your district depends on you for a strong cybersecurity foundation that protects against cyberthreats, you must also ensure it doesn’t create friction or disrupt learning. So, how can you successfully roll out MFA districtwide? Keep reading to learn how!


Chapter 1

Getting Started: Proven Tips

The “how” of implementing MFA is easily one of the biggest challenges faced by technology teams, regardless of industry— disparate user groups, devices, and remote locations must all be considered.

When defining your MFA strategy, start by examining your users’ points of access. The fewer login points that exist, the fewer access points you have to worry about securing.

An MFA strategy in K-12 Education should accomplish four objectives:

  1. Secure the entire digital ecosystem (not just EdTech or Enterprise systems)
  2. Integrate seamlessly into the existing technology stack
  3. Provide equitable deployment that caters to the individual needs of each user
  4. Continuously evolve with a district’s ever-changing and unique needs

Ideally, your users will be provided with a universal login point that they are funneled to— regardless of which systems they access. At this login point, the user authenticates once, and then, gains access to their relevant applications with security tokens as a part of a federated trust (think: SAML, OAUTH, WS-FED, etc).

This should apply to controlling devices, applications, and remote access. The near-term goal should be to have a single identity provider that can enforce adaptive MFA. Following this strategy can serve as a general ‘catch-all’ to secure the authentication of all users, to all systems.

Chapter 2

MFA Best Practices

Education is the primary target of cyber criminals. However, strengthening a district's cybersecurity posture is a struggle due to limited staff, resources, and budget. Enterprise security tools are expensive and don’t meet K-12’s unique needs.

District digital ecosystems have evolved into complex webs of systems, applications, and public networks that have become increasingly difficult to secure, making school districts prime targets for malicious actors. 

This is not only driving an urgent need for greater cybersecurity, but also mandates from cybersecurity insurance providers. One of the most common insurance requirements is requiring MFA to secure access to district resources. District-wide MFA is no longer a “nice to have,” but a necessity. 

MFA is a critical component to curbing the epidemic of account compromise attacks plaguing Education, and it’s not a new concept. Verizon’s 2020 Data Breach Investigations Report stated that “MFA can block over 99.9 percent of account compromise attacks, and with MFA implemented, knowing or obtaining a password alone will not be enough to gain access to a system.”

The strategic goal of IT teams should always be to harden the attack surface. The harder it is for a bad actor to gain access, the safer our students, faculty, and ultimately, our data sets are.

Consider the following guiding principles as best practice standards for K-12 MFA implementation:

  1. ALL privileged accounts must have MFAthis is non-negotiable.
  2. Wherever possible, go passwordless.
  3. Keep user experience top of mind when selecting authentication methods for each user group.

At a minimum, your MFA deployment should be enforceable at the following points of access:

  1. Device-level login
  2. Federated SSO portal login to access cloud applications
  3. Remote access points, like RDP, VPN, etc.
Chapter 3

Creating Your MFA Strategy

The steps below outline a best practice approach used by other districts to successfully deploy MFA at scale and across all users. These districts have not only hardened their attack surface and mitigated rising cybersecurity insurance premiums, but actually enhanced ease of access for users!

Step 1: Create a Committee

Instead of asking yourself “How do I implement MFA?,” re-angle your thought process to: “How do WE implement MFA?” While implementing MFA may be the responsibility of the technology team, successful adoption requires buy-in across the organization.

In her address to Congress in May 2022,  Amy McLaughlin, Cybersecurity Project Director for CoSN, highlighted the importance of this mindset: 

“Cybersecurity is not only an unmet technology need; it is an organizational culture challenge. K-12 schools & districts experience significant challenges in protecting themselves from cyberattacks...It is an issue that requires everybody in an organization to understand & be part of the solution.”

Your greatest tool in deploying MFA is to engage leaders from impacted departments. By design, MFA increases the amount of steps taken to access resources. However, having “boots on the ground” in respective departments helps ensure there are champions to explain the need and assist with adoption at each stage. Controlling change management is crucial to the successful adoption of any new technology initiative.

Step 2: Call Out Weak Points

The first item the committee should assemble on is documenting an inventory of existing resources: “What do we have today?”, “What do we use it for?”, and “What can we use it for?” are all questions that help determine what is missing in terms of security posture and assess your level of risk. This inventory can include devices, systems, applications, access points, and more.

Step 3: Create a Plan 

The committee should be aware of the potential risks and create a plan to address them. While not every cybersecurity risk needs to be completely mitigated by the plan, it’s imperative to document all known risks, as well as a potential recourse for each.

For example, consider scenarios, such as: 

  • What happens if someone guesses the SIS administrator’s password?
  • What about a student's password and gaining access to their accounts?
  • What happens if we lose power in our on-premises data center? 
  • What do we do if we suffer a ransomware attack?

Use these documented risks to facilitate policies around mitigation and/or recourse by asking questions, such as: 

  • Can a product or human resource mitigate this risk? 
  • Can our own policies and user-behavior reduce this risk?

Step 4: Procure Necessary Resources 

If it is determined that new resources are required after calling out the weak points and creating a plan, remember the impacted user base. This is critical, particularly in Education, because many two-factor authentication (2FA) and MFA products were designed with only the corporate employee in mind— subject to one function that values security above all else. 

However, in Education, teachers and students are subject to the decisions of the committee, so the right balance between security and ease of use must be highly-considered for each individual.

Chapter 4

The Key to MFA Success

Your task: implement MFA districtwide
 without forcing a disruption to the classroom.

Following the strategy outlined above has allowed districts to not only harden their attack surface and mitigate rising cybersecurity insurance premiums, but actually enhance ease of access for users.

Hands down, the best piece of advice for making districtwide MFA a reality AND a success is to remember that: options equal adoption.

When only one authentication workflow is permitted for all users, it leads to issues with administration, equity of access, user adoption, and ultimately, negates the success of an MFA program, resulting in wasted budget. Role-based MFA that provides end-users with methods that they are comfortable using not only increases enrollment (and ultimately, security posture!), but actually makes it easier for the individual to gain access to the resources they need.

For the committee and IT teams this means evaluating a product with multiple modalities. The key is to provide a broad array of options, while being cognizant of the security, ease of use, and risks tied to each. For example, authentication methods, such as QR code, Pictograph, and challenge questions are great for ease of access and can be combined with other factors to provide a form of 2FA that’s ideal for users, like young students or those with special needs. However, as these options are not as secure as other methods, such as FIDO tokens, they aren’t practical for all user types.

Unlike a standard enterprise organization, K-12 is composed of students, teachers, staff, parents, contractors, and IT admins that each have unique user profiles and levels of access that require MFA options that fit their role. In addition, while some users may prefer using their smartphone for authentication, the use of personal devices cannot be mandated districtwide as not all users are equipped with a device.

See the resources below to check out our top recommendations for selecting authentication methods based on user type and risk level!

Chapter 5

Austin Independent School District: Creating a "AISD Anywhere" Digital Ecosystem

As the fifth-largest public school district in Texas, Austin Independent School District (ISD) is guided by the motto “AISD Anywhere” to provide 100,000 students, teachers, and parents greater access to their EdTech tools.
AISD_Black_StackedWhen choosing an Identity and Access Management (IAM) solution, Austin ISD knew the district would need to create a single, unified infrastructure. Connecting the district’s systems and tools—including their student information system (SIS), enterprise resource planning (ERP) system, curriculum tools, and eBooks—would allow for greater security and less backend maintenance.

RapidIdentity emerged as the perfect solution for Austin ISD—configurable, cloud-based, and user-friendly. Daniel Olivas, Network Analyst at Austin ISD sees RapidIdentity as the new security perimeter of the district’s digital environment, tying together the district’s infrastructure and synchronizing its data, so users can securely access classroom tools from any WiFi network.

RapidIdentity is like an iceberg. There’s a bunch of stuff under the ocean that you don't see that makes each piece work flawlessly,” says Olivas.

Chapter 6

RapidIdentity Authentication

Built specifically for K-12, RapidIdentity Authentication provides enterprise-grade security that helps institutions heighten their posture with MFA that adds an extra layer of protection or can even replace passwords altogether. 

RapidIdentity Authentication supports a broad range of authentication methods, including the latest frictionless smartphone-based technologies and risk-based authentication. Even younger students can easily gain access to the resources they need with a variety of passwordless and student-friendly authentication methods, including smartphone-based push notifications, QR code badges, pictograph authentication, and more.

RapidIdentity's Universal Authentication Director arms districts with the ability to seamlessly blend authentication across all web applications and for all users, so IT no longer has to worry about activating a myriad of MFA options across their edtech ecosystem. With RapidIdentity, faculty and students are more productive, and everyone is safe and sound.



See How RapidIdentity Enables Both Learning Outcomes and Cybersecurity with Flexible Identity and Access Management


Chapter 7

To Sum Up

K-12 Education is THE prime target for ransomware, phishing, and other cyberattacks. In addition, enterprise security tools cannot handle the unique user groups and workflows that K-12 IT manages.

In order to successfully deploy MFA across your organization, careful planning must first occur. But ultimately, the secret to achieving districtwide MFA adoption is that options equal adoption. It’s critical to identify each of your user group’s needs and abilities, as well as their risk level and the sensitivity of resources they access. 

Providing a broad range of methods ensures your users will have a method available that they are comfortable using. As ease of access increases, so does MFA adoption, which in turn, heightens your district’s security posture.

close chapters modal

Let's continue the conversation.

Ready to take the next steps? Contact us today to learn how RapidIdentity can safeguard your learning environment, maximize instructional time, and minimize the load on technology teams.

Download the full PDF version of this guide by filling out this form

Simply fill out this form to receive a PDF version of our guide.