Two-Factor FAQ
Oftentimes in the event that someone's account is compromised at a school district by a sufficiently motivated attacker, the entire district can go down for a year or longer. Some districts never recover. Every day in the U.S. new schools are caught in ransomware attacks. We need to take immediate action to ensure that we are not an easy target. A lot of that has been going on fervently behind the scenes, in our office behind the blue dumpster, but the reality is the vast majority of the time, the root of these education breaches is the account of a teacher or other staff. I, and the Tech Dept. wholeheartedly agree with OSBA's decision to make 2FA mandatory for all staff. Without it, the risk is simply too high. 2FA reduces the threat of that account being compromised by at least 90%.
There are several different ways in which your personal phone could be used for two-factor authentication, including:
Logging into your work account directly on your device and confirming a pop-up message upon login.
Downloading the Google Authenticator app and confirming logins via code or pop-up.
Using a third-party app like Authy to generate a code and log you in.
Receiving a text message (SMS) code.
The method we chose to outline is the simplest, and from a privacy perspective arguably the least invasive. That is, in part, why it was chosen.
“Is it mandatory that I use my phone?”
No, but it is strongly recommended. Currently we have available physical keys, a lot like a flash drive, called an Authenticator. When prompted to log in, you plug in the authenticator, press a button, and it would serve the same purpose for the most part. These are arguably even more secure than the One-Time Passcodes via text, but with some significant caveats. Logging in somewhere other than a computer with a readily available USB port is difficult.
“What if I lose my Yubikey?”
The first key will be provided by the District/Technology department. It is to be treated exactly as a real key might, and will be returned at the end of employment or at request of the Tech Department for specific technical reasons (like repair/replacement.) Should the key be lost, the employee will be financially responsible for the replacement. They are currently $25 each.
“Can my work track my phone if I enable 2FA via SMS?”
No.
“Can my work see my text messages if I enable 2FA via SMS?”
No.
“Can my work...?”
No. Performing the steps outlined in the guide does not grant anyone additional access to anything, including myself and the Tech Dept.
“I don't want to receive spam texts.”
Google does not sell your cell number to anyone, and you will never, ever receive texts from them for any reason beyond account login events.
“I don't want Google to have my cell number.”
Your cell phone number is not private.
Do you have an Android phone?
Have you ever logged into GMail on your iPhone?
Have you ever used your phone on Guest WiFi or Warriors?
Have you ever connected to free Wi-Fi at a store?
Ever signed up for a rewards program at Safeway, Fred Meyer, etc?
If you answered yes to any of the above, Google already has your phone number.
Even if you answered no to all of the above, it is a safe bet Google knows your phone number.
“Can my phone be subpoenaed in the event of a court case?”
If the only messages on your phone related to work are 2FA codes, no it cannot. This is per our legal council and wider opinion from others experiences and established case law.
However, if you have ever sent or received any communication on your phone directly related to work, and an incident occurs, your phone can absolutely be subpoenaed.
“What hardware authenticator are we using?”
“How do I log in to EMail on my Phone with a Hardware Key?”
I would encourage you to ask yourself why you prefer the security key over using your phone for authentication, but are comfortable logging in to your EMail on your personal phone. 🤔 Beyond that, the key supports NFC, which means it should be compatible with phones. In practice, it really depends on the app and phone itself. With some phones it works well, others not at all. We do not offer any support in this regard, unless there are very specific extenuating circumstances.