Protection with MFA
Multi-factor authentication (MFA) involves confirming your identity in 2 or more ways when logging in. This helps keep accounts secure.
Hackers can steal usernames and passwords in many ways. Once they have your credentials, hackers can use them to carry out an attack or sell them on the dark web.
With this information, hackers might be able to:
- access staff and student records
- impersonate staff
- steal funds
- use the institution's email to spread malware
If a hacker gets your username and password, MFA would mean they can’t access your account without carrying out the second verification step.
Where to use MFA
Senior leaders, and staff (including internal and external IT support staff) working with confidential, financial, and personal and sensitive data should use MFA.
MFA should be applied to:
- admin or privileged accounts with elevated permissions (for example, system, cloud, or application admins)
- externally accessible systems reachable from the internet (for example, email, web portals, and remote access tools)
- cloud services or “software-as-a-service" (SaaS) platforms that store or process personal or sensitive data
- VPNs and remote access technologies that provide access to internal networks
MFA changes to how you access accounts
The additional step (alongside your log in credentials) might be:
- approving a request through an authenticator app
- entering a code sent to your email
- entering personal information only you know (such as a pin or secret question)
Using MFA without a mobile phone
If your school does not allow mobile phones, there are other options for MFA. These can include:
- authenticator apps that can be used on computers
- biometric authentication
- USB security keys
Choosing and implementing MFA
The National Cyber Security Hub has information on implementing MFA in an organisation.