How Catlin Gabel School and Brewster Academy Use MFA to Increase Security and Peace of Mind

What is Multi-Factor Authentication

Multi-factor authentication (MFA) is an extra layer of security, which further protects accounts from unauthorized access. The “multi-factor” component relies on at least one additional method of verification such as a Time-based One-time Password (TOTP), biometrics, hardware security keys, or push notifications on a mobile phone. The addition of a second authentication factor greatly increases security by protecting accounts even if a password is compromised.

MFA was first introduced in 1986 when RSA launched the use of standalone devices to create pass codes. Most consumers haven’t thought much about MFA until recently, as the hacking of online accounts has become ubiquitous. Google can be credited with reintroducing the concept to the public through MFA for Gmail accounts in 2010. In recent years, other platforms and services have followed suit.

Headlines about compromised accounts and login credentials are commonplace. Thankfully, many of these occurrences can be avoided using MFA. A 2015 survey estimates MFA adoption at roughly 39%. With personal and professional information being housed online with increasing regularity and with large-scale and targeted breaches on the rise, the security of online account access is critical. Using multi-factor authentication is an important step towards ensuring the safety of your online information and accounts.

– Michael Martell, Senior Director of Core Engineering at Veracross & Magnus Health

Visit haveibeenpwnded.com to review statistics about compromised websites and accounts from some of the more high-profile data breaches.

Rollout, Resources, and Recommendations

The following is a summary of interviews conducted by Veracross Senior Director of Marketing, Keith Krass, with current Veracross clients Peter Gilligan, Chief Technology and Operations Officer at Brewster Academy in Wolfeboro, New Hampshire and Daisy Steele, Director of Technology at Catlin Gabel School in Portland, Oregon.

Keith Krass: What led to the decision to roll out MFA at your school? And who among your staff made the call to do so?

Peter Gilligan: Brewster had a data security assessment conducted by our law firm. The number one recommendation that emerged was to implement MFA. In fact, many firms will not work with you unless you have this step completed. Ultimately, the decision to roll out was pushed by our IT department and strongly supported by our senior administration.

Daisy Steele: It’s certain that MFA is best practice for cybersecurity. That’s well-documented and well-known. We had to look at our tolerance for risk versus our tolerance for inconvenience. What are the consequences of being compromised and how can we mitigate that? For us, deciding to implement MFA was a combination of things including access to a lot of sensitive data in one place. Since we were about to launch Veracross, we decided that we would fully activate MFA during the launch. I began the conversation, but ultimately, it was a collaborative decision.

KK: Did you receive any resistance? If so, what information did you present to highlight the value of MFA?​​

PG: As with anything new, we had grumbles from a few, but once I met with those concerned and showed them how vitally important MFA is, they got on board. Most did not need any convincing, but for those with reservations, I restated the recommendations from our security assessment and showed them some online videos from top data security professionals.

DS: Our school had experienced some attempted breaches, so I was already doubling down with our HR and administrative departments to add MFA to our current systems which mitigated the issue. So, by the time I came to senior-level leadership with a plan to implement MFA with Veracross they were ready to take on the inconvenience. I would say that the only limiting factor in the roll out is the fact that not everyone has a smartphone.

KK: What was your process and timing for rolling it out and how did you decide on it?​

PG: We decided on a gradual rollout over a trimester with a hard deadline of the last day of the fiscal year. This gradual process worked well for us as we started with senior administration, which lent itself well to a “lead-by-example” charge. I set up times to meet with each support staff group. For teachers, the IT department attended the first 30 minutes of each department staff meeting to conduct a“data security check-up” where we made sure that everyone’s phones and computers were updated, walked through MFA setup, and installed Crashplan.

DS: We fully rolled out MFA in tandem with our Veracross launch. We began with the staff on campus for the summer, those already using Veracross before the general faculty. We held small training sessions where we simultaneously discussed MFA. We sent instructions and screen cast to staff, so they could login and activate MFA early. Finally, we encouraged faculty to set it up before the initial trainings that we held at each division level. At the all school meeting at the start of the year, we offered help with login and setup and announced that all faculty and staff had to attempt set up by end of day. However, we had strong adoption prior to the trainings. Our final rollout group was the Catlin Gabel affiliates including seasonal tutors and coaches. Those were a bit more difficult just due to scheduling or lack of tech savvy, but we felt it was important to make sure they were covered by the same security and they are now all set up with MFA. We don’t currently have MFA for parents or students.

KK: Can you describe the resources you used to train your community on how to implement MFA? Was ongoing technical support provided?

PG: The main resource was our IT department working directly with the small groups and walking through questions on anything in the process. We also had a one-page document describing the basics of MFA that we distributed. We offer ongoing support to users who are going to be traveling abroad so they are prepared for using MFA in areas where they may not have cellular service and our IT department is always available to our staff.

DS: We sent an email with some basic information about MFA, but the screencast and in-person trainings were our main tools. As to support, there is a walk-in help desk, so our staff can walk in if they are on campus. There is also a phone line and email ticketing system for ongoing support for those off campus.

​KK: What percentage of your community is currently utilizing MFA​​?

PG: 100%

DS: If they have access to Veracross, they have MFA. Staff and faculty both 100%.

KK: Is there anything you would have done differently with the rollout?

PG: The only thing I would have done differently is to have done it sooner. This has been a very positive thing for our community.

DS: I think distributing an attractive, one-page handout to sum up what MFA is and why it is so important would be a nice addition.

KK: Any specific advice you’d give to a school looking to implement MFA?

PG: The best advice I can give is don’t wait. I would also say that you should include people at all levels in the process. Don’t just institute a policy from “on-high” and expect people to adhere to it. People in our community walked away feeling more secure because they were part of the process. Doing this one step can give you more bang for your buck than any other layer of security

DS: Don’t wait. Do it now. The consequences are such that it’s not worth the risk. I also think the fact that we combined the setup of MFA with our larger initial rollout was a big advantage. So, if you are adding another module or rolling out a new system all together, I recommend including MFA setup in that launch. Yes, it can be hard to navigate and there will likely be some push back, but it’s more than worth it to work through any resistance for the safety of the community.

How does Veracross support MFA?

At Veracross, we take data protection seriously. We support MFA for client authentication and use it internally for our own staff. For our clients, Veracross MFA is implemented with the industry standard TOTP (Time-based One-Time Password). We support Google Authenticator, Duo, 1Password, Lastpass, Authy, and several other well-known solutions.We work with our clients to enable a smooth rollout and support multiple rollout phases including Disabled, Optional, Transitional, and Required for any account or group of account.

Often, clients wonder if it is worth the time and effort to rollout MFA. Many see the utility in protecting, say, their bank account with MFA but fail to see a compelling reason to protect their Veracross account. We think the answer is obvious, and so far, roughly 20% of our schools agree. While our goal is to get 100% adoption for Veracross schools, we understand the potential friction, the time, and the effort involved when making such requirement across multiple accounts.

However, consider what an account’s credentials protect. Many staff who have privileged Veracross accounts have access to highly sensitive data including: PII (personally identifiable information) of minors, financial aid data, health data, grades, relationship information, school communications, and more. When enabling MFA on your personal bank account or email, you’re protecting your own data. When enabling it on your Veracross account, you’re also protecting the data of your students, parents, faculty, and staff. We see this as so important that we offer MFA setup and rollout support for all our schools free of charge.