Why Educational Institutes Should Leverage Passwordless Authentication -

Educational institutes play a fundamental part in society and produce assist in producing the great minds of the future. From Nursery right the way through to University, these educational institutes rely on technology more than ever to conduct business, teach and provide students access to resources internally and on the Internet. Just as with any organisation, data and the security of that data is a critical component and therefore, educational institutes must have measures in place to protect access to their data. Often this is done by employing a range of physical, technical and administrative controls which is great but these controls need to be constantly reviewed as potential threats are always advancing. If cybersecurity measures are not maintained and updated, institutes run the risk of becoming a target and as a result, potentially breached. The ramifications are real and should not be overlooked; therefore, planning and ensuring educational institutes are on top of their cybersecurity should be a key focus.

Official statistics from research conducted by the UK government in 2022 on cyber security breaches in educational institutions highlight the scale of the problem. The research shows that Primary schools, Secondary schools, Further education colleges and Higher education colleges are not immune to cyber security breaches. In fact, the research shows that all aforementioned institution types fell victim to a cyber attack and malicious actors appeared to target mainly further education (88%) and higher education colleges (92%) the most. The research also emphasised that the identified attacks on secondary schools had increased in 2022 by 12%; possibly indicating that educational institutions are an easy target for attackers.

Sticking with the same research, it was found that attackers had successfully carried out many different attacks but not surprisingly, Phishing attacks remained the number one form of attack against all educational institutes. Other attacks worth mentioning for the purpose of this article included the unauthorised access to files by students, staff and outsiders and the takeover of user accounts which could imply that credentials were stolen and or misused at some point. Whether data is stolen from cloud environments or on-premise environments using Phishing tactics or via legitimate accounts with stolen credentials, institutes need better ways to reduce the chances of attacks being successful.

As a result of the breaches, the surveyed institutes were impacted tremendously resulting in a loss of data, money and unfortunately a loss of confidence from stakeholders. While the research does suggest that institutes acknowledge that new controls are required to prevent further attacks from materialising it’s obvious that more can be done to improve cyber security postures across the board.

Focusing briefly on cloud solutions, more specifically Microsoft 365. According to Enlyft, approx. 60,320 customers are from the Educational Management industry. We could also assume that this number is constantly rising as institutes embrace remote learning and cloud-delivered Microsoft solutions. As a result, more and more data as well as Identity and Access Management (IAM) is shifting from on-premise environments to the cloud. Thinking back to some of the attacks mentioned above from the Government report, decision-makers and security teams need to ask themselves many questions; one of which could be, “How can we reduce attacks caused by compromised credentials?”

While I could address many technologies that could help reduce the success rate of some of the attacks highlighted in the published report, I want to focus on the question put forth and particularly on one advancement in technology that I feel would benefit educational institutions. That is by adding Passwordless as an authentication method. Passwords are and have been for some time one of the biggest attack vectors when it comes to cyber-attacks. We could also say that passwords add friction to a user’s daily routine as they have to constantly change, update and even remember ample passwords to access different systems. Of course, there is the use of password managers but particularly in educational environments where there is a high turnover of students and sometimes even staff, does the benefit outweigh the cost? Maybe in some cases, and one might think that using password management solutions for staff only is the way forward but that little for students who forget their passwords as well as the costs ensued to pay for helpdesk administrators to help reset passwords. Nevertheless, let me be clear; I am not saying that there is anything wrong with password managers but they do carry their own risks and the credentials stored within are no good if passwords remain weak.

With that said, before understanding why passwordless could be a much-needed addition to educational institutes, let’s first understand what passwordless is.

Passwordless is an authentication method that allows users access to compatible applications without the need for a password. While one would assume that passwordless authentication is surely less secure than the use of passwords, it actually isn’t! That is because with passwordless authentication, users still enter their username to identify themselves but before they can successfully authenticate and access the intended system they would need to complete the passwordless authentication process by using biometrics or even a token to name a few. This means once the username has been entered instead of relying on something we know (password) as an authentication method we now rely on something we are (biometric) or something we have (tokens). In turn, this helps improve security and reduce the risk of compromised accounts because an attacker won’t likely have access to your tokens and or biometric information even if they did know your username. Furthermore, passwordless is used with multi-factor authentication to apply additional security measures to user accounts, and devices and control access to specific applications. Passwordless can also be used with Single Sign-On (SSO) to improve the end-user experience by not only removing the need to remember passwords but also by allowing users to sign in only once before being able to access other SSO-capable applications.

Some of the benefits of going passwordless are:

Less user friction and a better user experience
Elimination of potentially insecure passwords and an improved security posture
Better IT operations by removing the need for password reset and rotation procedures
Freeing up IT resources to be better served on more important tasks

There are many more benefits to going passwordless and you can read more from vendors such as Cisco Duo but now that we have a better understanding of passwordless and organisations can benefit from passwordless, let’s take a look at how you can start your passwordless journey. To do so, we will take a brief look at Cisco Duo’s end-user experience and see how educational institutes can leverage Duo Passwordless today.

Note: The following does not go through the full configuration steps as these may vary depending on your environment. Please see the Duo Passwordless documentation for more details.

To make use of Duo Passwordless, there are a few prerequisites that need to be in place first. These are:

A Duo Subscription (MFA, Access or Beyond)
An Identity Provider (IdP) and integration with Duo SSO or an existing SSO IdP
Supported Passwordless authentication methods (Windows Hello, Touch ID, Face ID, Fingerprint etc)
Supported web browsers

Assuming that you are looking at enabling passwordless for students and staff accessing Microsoft 365 environments with Duo SSO, once the prerequisites are met and Duo has been configured for passwordless, the end-user experience can be tested.

When users first attempt to access an O365 application with passwordless enabled, they will first be required to enter their username and password before they are given the option to enrol for passwordless. Once they’ve successfully authenticated they will be asked to set up their account for passwordless authentication so that they don’t have to use a password when they next sign in.

The following example is using an iPad to demonstrate how schools can also leverage passwordless. Once the user has entered their username and password for the first time, they are prompted to enrol for passwordless.

Note: If using tokens such as Yubikeys, these can be enrolled to user accounts beforehand but if devices are to be used by multiple accounts then self-enrollment may be the better option.

On the next prompt, the user is asked to select a passwordless authentication method.

When using an iPad you will be asked to sync the iPad to securely store the information in iCloud. This is great if you have one account that is used between multiple devices.

Next, the user is asked to sign in with their selected passwordless method. In the following example, Touch ID was used.

Once the passwordless enrolment process is finished, future login requests from that user to supported and configured passwordless applications will be passwordless (username and passwordless authentication method).