4 minute read

Best Practices in Multi-Factor Authentication for Higher Education

10/15/2024 9:00 AM

Multi-factor authentication (MFA) is becoming an industry standard for account access, increasingly required by vendors, industry organizations, and various laws. That’s because implementing MFA is a proven way to validate identity, reduce risk, and secure accounts and the critical systems and sensitive data they are connected to.

According to recent security research, 79% of account takeovers begin with phishing for account details such as username and password. MFA helps mitigate this problem by requiring more than basic login credentials – multiple factors are needed for authentication. The method is highly effective, as MFA users are 99% less likely to have their account hacked.

How MFA works

The multiple factors required for authentication are at least two of three categories of credentials:

  • Something you know, such as username and password
  • Something you have, such as a token device or one-time code
  • Something you are, such as biometric information from a fingerprint or facial recognition

Most MFA processes involve the first two types of credentials, with the first verification of identity through the login of name and password (something you know). The second verification occurs by entering a code that the user has received (something you have) from the authentication system, sent through one of these communication options:

  • Authenticator app: The user receives a time-sensitive code from an app like Authy, Microsoft Authenticator, or Google Authenticator. This is one of the most secure and popular options, especially since many apps allow you to add biometrics (something you are) to the login for extra security.
  • SMS code: The system texts a one-time passcode to the user’s mobile device. This method is convenient to users but less secure.
  • Email code: The system emails a one-time code to the user. Less secure than other methods but useful as a backup option.

More than MFA is a must

While MFA is a proven way to increase account security, colleges and universities can do more than implement MFA to reduce risk. From choosing the right software and hardware to educating students and staff on cybersecurity, the following are some best practices that will enhance security alongside MFA.

Apply security concepts such as the principle of least privilege

Privacy, security, and compliance can be complex and difficult to achieve, but using best practices and information security concepts can greatly help. For instance, the principle of least privilege is when a user or entity is given the minimum level of access or permissions to solutions and data needed to execute a task. Only access or permissions that are truly essential, necessary, and strictly required are granted. This helps reduce exposure and prevent leaks, inadvertent or intentional, that can lead to security breaches.

Conduct user management

Actively managing users’ access and permissions is an effective way to help prevent the wrong information from falling into the wrong hands. Conduct an audit process on a regular basis to remove or disable users that are no longer needing access.

Regularly update software and hardware

Always update to the latest version of software solutions and the newest firmware on hardware devices, as these often include new and increased security functions and critical fixes to vulnerabilities that compromise security.

Require strong passwords

The security benefits of MFA can be undermined if users’ passwords are easy to predict. Require users to have passwords that are sufficiently long and complex by including letters in upper and lower cases, numbers, and special characters, and require users to change passwords on a regular basis.

Select and implement NFC-based technology

The most secure technology for conducting access and payment transactions is Near Field Communication (NFC), thanks to multiple features that deliver durable protection. As MFA protects access to solutions and systems, NFC technology protects two more of the biggest targets for bad actors seeking to breach your campus.

Continuously educate users

As 68% of data breaches involve human error, both students and staff need to be aware of the newest cybersecurity risks and how to protect against them. Conduct communication campaigns that describe common risks, such as phishing, and how to avoid them with best practices for account security. This best practice is key to reinforcing your security, and without it the benefits received from other security best practices can be lost.

The keys to today’s locks

Securing user accounts in today’s cyber threat landscape requires extra effort. Login names and passwords are not enough to deter hacking and other forms of identity theft and takeover. To maintain security, today’s locks require multiple sets of keys and changes to our daily habits and institutional processes. Implementing MFA and best practices that support it will help increase security on your campus and achieve regulatory compliance.