Best Practices in User Authentication All Schools Should Follow

School systems used to be closed, which made ensuring security simple. But due to the interconnectivity demanded by the online age, these systems had to be opened up to enable interoperability. Unfortunately, this has introduced schools to significant risks. Private data could be compromised in the event of a breach or shared and monetized by unscrupulous service providers.

To mitigate these risks, schools need an effective system for authenticating students, staff, and faculty – one that restricts access to institutional resources without compromising user data. But what does such a system look like? There are many user authentication methods used in education, but not all approaches are equal in terms of security and privacy.

Here are some steps schools can take to securely authenticate their students, staff, and faculty.

Use Single Sign-On

First and foremost, institutions should use single sign-on (SSO) authentication to verify users’ eligibility to access resources.

People often recycle passwords, no matter how often they’re advised not to. When they have numerous accounts and are accustomed to entering the same credentials in several systems, they’re trusting multiple parties with these credentials. SSO provides access to multiple systems through one account and sign-in process, reducing the number of parties to which credentials are passed.

SSO is a best practice for many reasons. It’s less of an administrative burden than creating user accounts manually or through imports. It’s less vulnerable to fraud than email-domain authentication. It reduces password fatigue and provides a smoother experience for users. Most importantly, SSO does more to safeguard private data than any other method of user authentication.

Anonymize User Data

In addition to limiting the number of parties to which data is passed, it’s important to ensure that what data is passed is anonymous.

Institutions should use an opaque, immutable, globally unique identifier for each student, educator, and staff member who will access resources. These identifiers should be distinct from any credentials known and used by the users themselves and contain no personally identifiable information (PII) such as names or email addresses.

Institutions should set default SSO policies to release only the minimum set of anonymized data necessary. Many apps and services are designed to capitalize on default disclosure policies and will release those data to advertisers. Ensuring your institution’s default implementation is anonymized will prevent data from being leaked to outside parties.

Implement Multi-Factor Authentication

SSO verification can be made even more secure if coupled with multi-factor authentication (MFA).

MFA forces users to take extra action to access a site, system, or platform. This usually involves entering a code sent to the phone number or email address associated with the account being accessed. Requiring students, staff, and faculty to confirm their identity during sign-in like this can drastically improve data security.

Even accounts with robust passwords can be compromised. Implementing MFA at your institution’s identity provider can prevent these accounts from being breached and exploited by unauthorized parties.

Pick the Right Partners

The practices described so far are all measures schools can take on their own to improve data security. But institutions must consider not only their own systems and policies when it comes to protecting privacy. They must also consider those of any outside parties with which data is shared.

As established, many service providers share and monetize user data. Others may lack adequate policies and safeguards to protect the data they’re entrusted with. With cyberattacks and strict privacy laws on the rise around the world, it’s critical for colleges and universities to vet potential vendors and partners for their ability to protect PII.

There are many factors to consider when assessing a service provider’s data-security capabilities – too many to describe in detail here. But keep an eye out for our next post, which will look at what institutions should look for (and avoid) when considering service providers.