Password resets are one of the most frequent help desk requests school district IT teams get.
“Resetting passwords is a pretty big issue, especially after long summer and winter breaks, or any long period of time when employees don’t have to log in to their devices,” says Tanya Meza, K12 Business Development Manager at Kensington, a leading provider of innovative desktop and mobile device accessories. “IT teams can spend anywhere from one to two weeks just dealing with the specifics around passwords.”
Unfortunately, all of the time IT spends on password resets adds up to a significant amount of money. According to Infosecurity, research from Forrester puts the average cost for a single password reset at about $70. In a separate report, Forrester also details that large organizations spend around $1 million annually on password-related support and infrastructure costs.
But there’s another downside to password management for K-12 education beyond the time and resources — the security risk. Verizon’s 2019 Data Breach Investigations Report notes that 80% of breaches involve compromised and weak passwords. Education, the report explains, “continues to be plagued by errors, social engineering, and inadequately secured email credentials.”
This news isn’t surprising. “Most people tend to use the same password for different sites, so once a hack happens, it’s easy for the hacker to navigate through all the websites or systems with a single password,” notes David Delgado, RPM for Data Protection at Kensington.
The good news is there’s a lot more school districts can do to shore up password security as well as reduce the resource and infrastructure burden of password management.
Single Sign On Is a Solution, But Not a Complete One
Over the past several years, many school districts have embraced Single Sign On (SSO) technology as one solution to help reduce password management issues. With SSO, users only need one password to log into all their different accounts. This reduces the number of passwords a user has to remember and provides a centralized system for IT to manage passwords.
SSO can reduce the number of password reset requests; however, not all school districts have an SSO-integrated password management system. Additionally, while the Fast IDentity Online (FIDO) Alliance is helping to standardize authentication, SSO only extends to those vendors who participate in FIDO or for which the SSO solution provider has developed an API to assist in SSO authentication. This means that there will still be some applications that teachers and administrators use that fall outside of the authentication capabilities that SSO covers.
Additionally, while SSO may reduce the number of passwords overall that are at risk from being hacked or stolen, it doesn’t fully patch the security issues around passwords. Verizon’s report notes that nearly one-quarter of breaches in education are due to compromised cloud-based mail services. The report recommended the education industry focus on tightening up password security and implementing a second authentication factor.
Making a Move to Two-Factor Authentication
There’s no doubt that adding two-factor authentication (2FA) protocols can improve password security, and many schools are moving toward 2FA. However, for some school districts, multi-factor authentication (MFA) poses a unique set of challenges. For example, getting SMS messages as a second way to authenticate a user is common practice, but doesn’t always work for school districts.
“The way schools are set up, it’s tough to use some two-factor authentication methods,” says Tanya Meza. “In a school system, you’re not going to get SMS to your phone as some schools are in areas where there is no cell service. So, if the idea is to eliminate the need to help reset passwords, then school districts need to get creative.”
One “creative” alternative to SMS texts for authentication is the use of biometrics, such as facial or fingerprint recognition. It’s a newer area of authentication for most school districts, but there are a host of benefits that can help reduce the resource burden and the security risks associated with password management.
Benefits of Biometrics
While both facial and fingerprint scanning are forms of biometric authentication and can offer similar benefits, fingerprint scanning typically makes more sense in a K-12 environment. A fingerprint scanner can easily be connected via a USB port and doesn’t require the use of a video camera.
Fingerprint scanning is similar to using an SSO solution, but without the need for users to remember a password. “In general, it allows for sign-on into a system,” says Delgado. “If you’re using Windows cloud-based services, for example, Kensington’s Verimark Fingerprint Key allows users to sign on to those as well as any application in the FIDO Alliance, such as Dropbox, Gmail, or Apple.”
Biometrics have also become quite sophisticated and some devices can “learn” a fingerprint or face. “So if your fingerprint does change because you get a cut or as you age, some technologies learn those changes from day to day and week to week, so it’s not something where two months down the line, a user can no longer log in or use a certain product,” says Delgado.
Finally, because some biometric fingerprint scanners like Kensington’s Verimark can store up to 10 fingerprints, it’s much easier to manage authentication for multiple users on a single classroom device or when multiple IT administrators need to log in to a server. “We’re testing fingerprint biometric scanners in one school district right now where six IT techs all need access to the same server,” notes Meza. “If they can all use the same fingerprint reader — that’s both a security and a time-saving benefit.”
Stepping Stones to Better Security
Security continues to remain a top priority for IT teams, even with the use of fingerprint biometric scanners or other two-factor authentication protocol. But, it’s important for schools to recognize that there are many other small, low-cost security improvements they can make to help protect devices and school data.
“There are small things that schools aren’t aware of that can save them lots of money and be as simple as improving password security,” says Meza. “Privacy screens, device locks, shredders in the attendance office — these are all inexpensive and can be implemented now, getting more security into schools, and saving thousands.”