Are you a student or faculty member? Visit OnTheHub for discounted software and support or Texidium for eText support.

Close Button

Best Practices in User Authentication All Schools Should Follow

Kumiko Saito
June 14, 2021
User authentication in education

School systems used to be closed, which made ensuring security simple. But due to the interconnectivity demanded by the online age, these systems had to be opened up to enable interoperability. Unfortunately, this has introduced schools to significant risks. Private data could be compromised in the event of a breach or shared and monetized by unscrupulous service providers.

To mitigate these risks, schools need an effective system for authenticating students, staff, and faculty – one that restricts access to institutional resources without compromising user data. But what does such a system look like? There are many user authentication methods used in education, but not all approaches are equal in terms of security and privacy.

Here are some steps schools can take to securely authenticate their students, staff, and faculty.

Use Single Sign-On

First and foremost, institutions should use single sign-on (SSO) authentication to verify users’ eligibility to access resources.

People often recycle passwords, no matter how often they’re advised not to. When they have numerous accounts and are accustomed to entering the same credentials in several systems, they’re trusting multiple parties with these credentials. SSO provides access to multiple systems through one account and sign-in process, reducing the number of parties to which credentials are passed.

SSO is a best practice for many reasons. It’s less of an administrative burden than creating user accounts manually or through imports. It’s less vulnerable to fraud than email-domain authentication. It reduces password fatigue and provides a smoother experience for users. Most importantly, SSO does more to safeguard private data than any other method of user authentication.

Anonymize User Data

In addition to limiting the number of parties to which data is passed, it’s important to ensure that what data is passed is anonymous.

Institutions should use an opaque, immutable, globally unique identifier for each student, educator, and staff member who will access resources. These identifiers should be distinct from any credentials known and used by the users themselves and contain no personally identifiable information (PII) such as names or email addresses.

Institutions should set default SSO policies to release only the minimum set of anonymized data necessary. Many apps and services are designed to capitalize on default disclosure policies and will release those data to advertisers. Ensuring your institution’s default implementation is anonymized will prevent data from being leaked to outside parties.

Implement Multi-Factor Authentication

SSO verification can be made even more secure if coupled with multi-factor authentication (MFA).

MFA forces users to take extra action to access a site, system, or platform. This usually involves entering a code sent to the phone number or email address associated with the account being accessed. Requiring students, staff, and faculty to confirm their identity during sign-in like this can drastically improve data security.

Even accounts with robust passwords can be compromised. Implementing MFA at your institution’s identity provider can prevent these accounts from being breached and exploited by unauthorized parties.

Pick the Right Partners

The practices described so far are all measures schools can take on their own to improve data security. But institutions must consider not only their own systems and policies when it comes to protecting privacy. They must also consider those of any outside parties with which data is shared.

As established, many service providers share and monetize user data. Others may lack adequate policies and safeguards to protect the data they’re entrusted with. With cyberattacks and strict privacy laws on the rise around the world, it’s critical for colleges and universities to vet potential vendors and partners for their ability to protect PII.

There are many factors to consider when assessing a service provider’s data-security capabilities – too many to describe in detail here. But keep an eye out for our next post, which will look at what institutions should look for (and avoid) when considering service providers.

Kivuto Cloud:
Secure and Compliant Software Management

Watch how Kivuto Cloud enables academic institutions to manage and distribute digital resources more securely.


Kumiko Saito
June 14, 2021

No Comments

Leave A Comment

Your email address will not be published. Privacy Policy

Looking To Get Started?

How can Kivuto help your institution? Click the button below to start a conversation with one of our solution experts.

Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

Click to enable/disable Google Analytics tracking code.
Click to enable/disable Google Fonts.
Click to enable/disable Google Maps.
Click to enable/disable video embeds.

To ensure the best possible experience, this website uses cookies. Click the button below to agree to the use of cookies.