What is 2FA? (Two-Factor Authentication)


    AKA: 2FA, Multi-Factor Authentication, MFA

    What is going on?

    • Every staff member at Philomath School District has a Google account (GMail, Drive, etc.)

    • OSBA PACE Insurance has mandated 2FA for staff EMail.


    What is “Two-Factor”?

    • EMail Address + Password + 2nd Factor = Login


    What is a “Factor”?

    • Something you are. (Like a fingerprint or face scan.)

    • Something you have. (Like a key or a phone.)

    • Something you know. (Like a Password.)

    Your EMail/Username is NOT a “Factor” since it is almost always easy to find or figure out.


    Why Two-Factor?:

    • Estimated over 90% less likely account compromise.

    • Stolen passwords are much less of a problem.

    • Quick and simple for staff.


    Why Education?:

    • Loads of student data, great for identity theft.

    • Lax security practices.

    • Recent heavy dependency on Technology due to COVID.


    What’s the risk?:

    • Ransomware: Data is encrypted by attackers and is scrambled until ransom is paid.

    • Phishing: Account passwords are stolen by tricking staff, usually via EMail.

    • Insider Threat: Internal staff deliberately sell data or access to outside sources.

    2FA Prevents or largely mitigates all of these, and many more.


    How likely is it?:

    • 56% of Lower education (US) hit with Ransomware in 2021.*

    • 60% of ransomed data was recovered.*

    • 3-6 Month average recovery period.*

    • $1.58M Average recovery cost.*

    *Data from Sophos, 2021


    What is the plan?:

    • Must be enabled by each staff member, takes ~90 seconds.

    • Staff receive a text message upon login, with a 6-Digit code.

    • Physical security keys are available.


    Why a text message (SMS)?

    • Almost everyone has a cell phone & uses it for work communication voluntarily.

    • SMS is the least invasive way to use a phone for 2FA

    • Security keys cost money. (~$20/unit)


    A few notes regarding phones:

    • No one is required to use their personal phone.

    • Phones used purely for 2FA are not subject to subpoena.

    • Google will not use a 2FA number for advertising.

    • Google will not sell a 2FA phone number to anyone.

    • Enabling does not allow PSD to track phone data or activity.

    • Staff can expect 1 SMS every 14 days, and another for first login on a new device.

    • Technology Dept. can provide backup codes if a phone is forgotten at home.




    Published