Passwordless Authentication in Education

Kevin Hazzard 13 September 2023

Passwordless Authentication in Education

The Need for Passwordless, Two-Factor Authentication in Education

“Hackers don’t break in—they log in.” - Microsoft Chief Information Security Officer Bret Arsenault

Securing the accounts of teaching and non-teaching staff and administrators presents its own set of unique challenges. If 2FA is enabled are staff required to use their personal cell phone? Will administrators have dedicated devices? Will the board invest in security keys for staff? What about students? How can school boards implement passwordless authentication for students when they don’t have cell phones, devices with biometric recognition or security keys?

We know passwordless authentication is the future. In May of this year, Google, Microsoft and Apple, along with the FIDO alliance, announced that users could begin to use passkeys, as an additional option to using passwords and 2FA, to access their accounts, apps and supported websites. If there was any question of where Google stands on the topic, the title of their blog post The Beginning of the End of The Password, makes it abundantly clear.

Passwordless authentication is more secure and creates a better user experience than entering a username and password. This is something of critical importance to the education industry. According to the 2023 Canadian Cyber Security Study published by CDW, across all industries and organization size, the highest hit rate for successful cyberattacks were in Education and Government at 10%. Education contains many unique challenges and obstacles to overcome in regards to cybersecurity. Firstly, the size of the attack surface combined with limited budgeting resources make defending against cyber attacks increasingly difficult for school boards. Secondly, the age and ability of students presents many challenges in implementing passwordless or complex password policies. The most common attack vector is weak or compromised credentials (Fortinet) yet many of the boards we speak to share the same concern. Their FGPPs for K-3 students and in some cases all elementary students contain no complexity. It makes sense of course. Trying to get a classroom of 6 year olds to sign in with a 12 or more character complex password would be unrealistic, but the fact remains. Student accounts, and specifically the accounts of younger students present a security liability for school boards.

Password policies for school board staff present many challenges as well including password fatigue, calls to the IT Help Desk and phishing attacks. Each of these are pushing IT Departments to find a better solution.

But: what options are available to school boards who want to go passwordless? The IT administrators that we speak to are looking for simple and secure login options for their students, but also their teaching and non-teaching staff, administrators and senior administrator teams. The challenge however, is that creating a plan towards passwordless authentication in education is not a one size fits all approach.

With school boards grappling with the best approach to take, we outline some of the current options available, their potential usage in the education industry and some of the pros and cons associated with each.

Cloudwise COOL Easy Login

Pre-Requisites, Systems and Devices	Board Managed Chromebooks Azure Active Directory or Google Workspace
User Experience	Students sign in to their Chrome device as well as to their Google and/or Microsoft accounts and connected applications as a single sign on using a QR Badge and Picture combination. Teachers and/or dedicated staff print QR badges for the students.
Usage Group	Students
Pros/Cons	Pros: Simple and secure Single Sign On for students. No need for cell phones, costly hardware keys, biometric recognition or dedicated devices Save students and teachers valuable teaching and learning time Reduction in calls to the IT Help Desk for password resets. Trusted endpoints. COOL Easy Login works on board managed devices. Provides significant support to English Language Learners and students with special needs who have a difficult time typing in usernames and passwords. Reduce the impact of successful phishing attacks against student accounts. No passwords to share! Google and Microsoft Authentication Cons: Currently available only on Chrome devices. Windows devices coming soon!

Microsoft Authenticator App

Pre-Requisites, Systems and Devices	Downloading the Microsoft Authenticator app Phone (iOS and Android devices) PIN and biometrics recognition on phone
User Experience	Microsoft Authenticator App can be used as the second step in 2FA with a password or as a passwordless sign in option Users sign in using a mobile phone with fingerprint scan, facial recognition, or PIN. Applicable for accessing work or personal applications on the web from any device using a cell phone
Usage Group	Senior Administrators Administrators Teaching Staff Non-Teaching Staff
Pros/Cons	Pros: Simple and secure 2FA and/or passwordless login solution Inexpensive and relatively easy to implement Cons: Staff would need to have a cell phone with them to authenticate Resistance from staff to downloading Microsoft Authenticator App onto a personal device Impractical for student usage due to the requirement of a cell phone

Choosing a Passwordless Method

FIDO2 Security Key

Pre-Requisites, Systems and Devices	Windows 10, version 1903 or later Azure Active Directory
User Experience	Users can authenticate to their device using biometrics, PIN, and NFC. Allows users to authenticate to shared personal or board devices where a cell phone is not an option.
Usage Group	Senior Administrators Administrators Teaching Staff Non-Teaching Staff
Pros/Cons	Pros: Fast, simple and secure passwordless authentication Passwordless authentication when a cell phone is not available. Staff do not need to use a personal cell phone or require a dedicated device Cons: Cost. Security keys range in the $50-100 depending on quality and biometrics capability. Forgetting a key. Users would need the physical key on them. If users forget the key at home or do not have access to it, they will not be able to access their accounts. Losing a key. If a key is lost, the account will need to be secured to prevent it being potentially accessed. Impractical for student usage due to the cost, compatibility with school devices and potential for the key to be lost, stolen or damaged.

Windows Hello

Pre-Requisites, Systems and Devices	Windows 10, version 1809 or later Azure Active Directory PC with a built-in Trusted Platform Module (TPM) PIN and biometrics recognition
User Experience	With Windows Hello, users can sign in using a PIN or biometric recognition with their Windows devices. Windows Hello authentication is tied to the device, meaning the user needs both the device and a sign-in component such as a PIN or biometric factor to access their account. Windows Hello can be used in combination with a FIDO2 Security Key
Usage Group	Senior Administrators Administrators
Pros/Cons	Pros: Simple, secure passwordless authentication to Board accounts. Can be used with a FIDO2 Security Key for additional account security Ability for Single Sign On to device and applications Cons: Requires a dedicated Windows device which would be costly to distribute at scale to all staff Impractical for student usage

Google Passkeys

Pre-Requisites, Systems and Devices	A device with touch or facial recognition software
User Experience	A PIN, swipe pattern or biometrics are used to authenticate a user on their personal or work accounts as well as connected applications and websites
Usage Group	Senior Administrators Administrators Teaching Staff Non-Teaching Staff
Pros/Cons	Pros: Simple and secure login to Google and Microsoft accounts as well as supported applications and websites No need to remember different passwords for different sites. Supported across major platforms Cons: Passkeys became available in May this year. They will take time to become more widely used and accepted Require a device with touch or face ID Impractical for students and staff who do not have a supported device

Communities

Cyber Security and Risk Management IT Modernization and Cloud

Regions

Canada

Published by

Kevin Hazzard Business Developer, Cloudwise COOL

About our partner

Cloudwise COOL

Cloudwise COOL is an award winning Dutch EdTech company operating in Canada and more than 15 countries around the world. Cloudwise is a Google and Microsoft partner and is Europe's largest Google for Education partner. With over 600,000 unique logins each day, Cloudwise helps school boards move towards zero trust architecture by securing potential entry points for cyber attacks with COOL Easy Login: our passwordless, MFA for students. We make IT for education fun, easy and innovative with cloud-based solutions specifically designed to support teachers in their daily tasks and challenges. Experience full classroom support with COOL Focus, an online classroom management tool and COOL Check, a secure digital testing environment.

Learn more