The Boone County School District is taking additional steps in data security and protecting the information of staff and students. One step includes Multifactor Authentication (MFA) for all Boone County staff.
What is MFA?
MFA is a multi-step process used to confirm the person logging in is authorized to have access to the account. MFA will ask for a username, password and at least one additional verification factor, which helps protect against identity theft, cyber attacks, access to confidential information, etc.
The phrase Multifactor Authentication is often used interchangeably with 2-Factor Authentication or 2-Step Authentication or 2-Step Verification. While the technical meanings of each are slightly different, the premise is the same: requiring more than one authentication method for access.
Why MFA?
MFA will enhance security by requiring more than a username and password for identification. Usernames and passwords can be compromised leading to data breaches, ransomware and other security incidents. Enforcing MFA applies an extra layer of security protection for identities and data.
MFA can help prevent crimes such as the ones below that have occured in Kentucky K12:
A student obtained the username and password of a district staff member to access Infinite Campus. The credentials were used to alter attendance records and/or schedules of 5 students.
Three district employees were tricked via a phishing email into giving their district login credentials to a cyber criminal, who then used their email accounts to request changes to their direct deposit information so those funds would be sent to the cyber criminal.
Two students utilized a teacher’s credentials, which the teacher had left posted on or near the computer, to log on to the school network. The students found they had access to a shared network drive, which contained staff PII, resulting in a data breach.
A staff email account was compromised via a phishing email. The cyber criminal placed an auto-forward rule on the staff member’s mailbox and 2 emails containing student data, including SSNs, were intercepted by the cyber criminal before the compromise was discovered. This resulted in a data breach.
Kentucky K12 is taking these steps because:
Education is BY FAR the most aggressively attacked for multiple reasons:
Significant funding over the last 2 years which immediately drew the attention of cyber-criminals
K12 staff are very service-oriented and generally not as familiar with security controls which makes them easier targets
82% of breaches are due to people giving up/losing/being tricked out of passwords
Phishing is at an all time high. Cyber-criminals are becoming more sophisticated and better at tricking people into sharing personal information, passwords, buying gift cards, clicking on ransomware, etc.
Who and When?
MFA will be required for all district staff when they use Office365 or Google credentials to access online resources: email, Infinite Campus, etc. Eventually, the district will move to location based MFA and district staff will not have to MFA while on the Boone County network.
Boone County MFA will have 3 authentication methods:
Text Message
Phone Call
Authentication App
Additional Security Measures
Conditional Access - Active Now
Office365 account credentials will only work while inside the United States. All other countries will be blocked. If a Boone County employee is traveling outside the United States and needs Office365 access, the STC can submit a work order so this access can be granted during the travel window. The Conditional Access policy alone greatly reduces the number of phishing email attempts end users receive.
Required Password Changes - Active Now
Boone County staff will automatically be prompted to change their passwords every six months.
Self-Service Password Reset (SSPR) - Coming Early 2023
Boone County employees will have the ability to change their passwords without calling the Technology Department. Very similar to MFA, SSPR will require Boone County employees to set up identity verification using one of the following authentication methods:
Text Message
Phone Call
Authentication App
Once per year, users will be asked to confirm their authentication method (phone number, etc.)
GET STARTED!