Passwordless Authentication in Education

Author avatar
Kevin Hazzard 13 September 2023
Passwordless Authentication in Education

The Need for Passwordless, Two-Factor Authentication in Education 


“Hackers don’t break in—they log in.” - Microsoft Chief Information Security Officer Bret Arsenault


Securing the accounts of teaching and non-teaching staff and administrators presents its own set of unique challenges. If 2FA is enabled are staff required to use their personal cell phone? Will administrators have dedicated devices? Will the board invest in security keys for staff? What about students? How can school boards implement passwordless authentication for students when they don’t have cell phones, devices with biometric recognition or security keys? 


We know passwordless authentication is the future. In May of this year, Google, Microsoft and Apple, along with the FIDO alliance, announced that users could begin to use passkeys, as an additional option to using passwords and 2FA, to access their accounts, apps and supported websites. If there was any question of where Google stands on the topic, the title of their blog post The Beginning of the End of The Passwordmakes it abundantly clear.  


Passwordless authentication is more secure and creates a better user experience than entering a username and password. This is something of critical importance to the education industry. According to the 2023 Canadian Cyber Security Study published by CDW, across all industries and organization size, the highest hit rate for successful cyberattacks were in Education and Government at 10%. Education contains many unique challenges and obstacles to overcome in regards to cybersecurity. Firstly, the size of the attack surface combined with limited budgeting resources make defending against cyber attacks increasingly difficult for school boards. Secondly, the age and ability of students presents many challenges in implementing passwordless or complex password policies. The most common attack vector is weak or compromised credentials (Fortinet) yet many of the boards we speak to share the same concern. Their FGPPs for K-3 students and in some cases all elementary students contain no complexity. It makes sense of course. Trying to get a classroom of 6 year olds to sign in with a 12 or more character complex password would be unrealistic, but the fact remains. Student accounts, and specifically the accounts of younger students present a security liability for school boards. 


Password policies for school board staff present many challenges as well including password fatigue, calls to the IT Help Desk and phishing attacks. Each of these are pushing IT Departments to find a better solution. 


But: what options are available to school boards who want to go passwordless? The IT administrators that we speak to are looking for simple and secure login options for their students, but also their teaching and non-teaching staff, administrators and senior administrator teams. The challenge however, is that creating a plan towards passwordless authentication in education is not a one size fits all approach.


With school boards grappling with the best approach to take, we outline some of the current options available, their potential usage in the education industry and some of the pros and cons associated with each. 


Cloudwise COOL Easy Login 

 

Pre-Requisites, Systems and Devices 
  • Board Managed Chromebooks
  • Azure Active Directory or Google Workspace 
User Experience
  • Students sign in to their Chrome device as well as to their Google and/or Microsoft accounts and connected applications as a single sign on using a QR Badge and Picture combination. 
  • Teachers and/or dedicated staff print QR badges for the students. 
Usage Group 
  • Students 
Pros/ConsPros: 


  • Simple and secure Single Sign On for students. No need for cell phones, costly hardware keys, biometric recognition or dedicated devices
  • Save students and teachers valuable teaching and learning time
  • Reduction in calls to the IT Help Desk for password resets. 
  • Trusted endpoints. COOL Easy Login works on board managed devices. 
  • Provides significant support to English Language Learners and students with special needs who have a difficult time typing in usernames and passwords. 
  • Reduce the impact of successful phishing attacks against student accounts. No passwords to share! 
  • Google and Microsoft Authentication 

Cons: 

  • Currently available only on Chrome devices. Windows devices coming soon! 

 

Microsoft Authenticator App 

 

Pre-Requisites, Systems and Devices 
  • Downloading the Microsoft Authenticator app
  • Phone (iOS and Android devices)
  • PIN and biometrics recognition on phone
User Experience
  • Microsoft Authenticator App can be used as the second step in 2FA with a password or as a passwordless sign in option 
  • Users sign in using a mobile phone with fingerprint scan, facial recognition, or PIN.
  • Applicable for accessing work or personal applications on the web from any device using a cell phone
Usage Group 
  • Senior Administrators
  • Administrators
  • Teaching Staff
  • Non-Teaching Staff
Pros/ConsPros: 


  • Simple and secure 2FA and/or passwordless login solution 
  • Inexpensive and relatively easy to implement 

Cons: 

  • Staff would need to have a cell phone with them to authenticate
  • Resistance from staff to downloading Microsoft Authenticator App onto a personal device 
  • Impractical for student usage due to the requirement of a cell phone 

Choosing a Passwordless Method 

 

FIDO2 Security Key 

 

Pre-Requisites, Systems and Devices 
  • Windows 10, version 1903 or later
  • Azure Active Directory
User Experience
  • Users can authenticate to their device using biometrics, PIN, and NFC.
  • Allows users to authenticate to shared personal or board devices where a cell phone is not an option. 
Usage Group 
  • Senior Administrators
  • Administrators
  • Teaching Staff
  • Non-Teaching Staff
Pros/ConsPros: 


  • Fast, simple and secure passwordless authentication 
  • Passwordless authentication when a cell phone is not available.
  • Staff do not need to use a personal cell phone or require a dedicated device

Cons: 

  • Cost. Security keys range in the $50-100 depending on quality and biometrics capability. 
  • Forgetting a key. Users would need the physical key on them. If users forget the key at home or do not have access to it, they will not be able to access their accounts. 
  • Losing a key. If a key is lost, the account will need to be secured to prevent it being potentially accessed. 
  • Impractical for student usage due to the cost, compatibility with school devices and potential for the key to be lost, stolen or damaged. 

 

Windows Hello 

 

Pre-Requisites, Systems and Devices 
  • Windows 10, version 1809 or later
  • Azure Active Directory
  • PC with a built-in Trusted Platform Module (TPM)
  • PIN and biometrics recognition
User Experience
  • With Windows Hello, users can sign in using a PIN or biometric recognition with their Windows devices.
  • Windows Hello authentication is tied to the device, meaning the user needs both the device and a sign-in component such as a PIN or biometric factor to access their account.
  • Windows Hello can be used in combination with a FIDO2 Security Key 
Usage Group 
  • Senior Administrators
  • Administrators
Pros/ConsPros: 


  • Simple, secure passwordless authentication to Board accounts.
  • Can be used with a FIDO2 Security Key for additional account security 
  • Ability for Single Sign On to device and applications

Cons: 

  • Requires a dedicated Windows device which would be costly to distribute at scale to all staff
  • Impractical for student usage  

 

Google Passkeys 

 

Pre-Requisites, Systems and Devices 
  • A device with touch or facial recognition software 
User Experience
  • A PIN, swipe pattern or biometrics are used to authenticate a user on their personal or work accounts as well as connected applications and websites 
Usage Group 
  • Senior Administrators
  • Administrators
  • Teaching Staff
  • Non-Teaching Staff
Pros/ConsPros:


  • Simple and secure login to Google and Microsoft accounts as well as supported applications and websites
  • No need to remember different passwords for different sites.
  • Supported across major platforms 

Cons: 

  • Passkeys became available in May this year. They will take time to become more widely used and accepted
  • Require a device with touch or face ID 
  • Impractical for students and staff who do not have a supported device 


Communities
Cyber Security & Risk Management
Technology & Transformation
Region
Canada Canada

Published by

Author avatar
Kevin Hazzard Business Developer, Business Development Canada