In August CISA added "Single Factor Authentication" to its list of practices it considers "exceptionally risky" as it exposes you to an "unnecessary risk from threat actors". It has been officially added to CISA's "Bad Practices Catalog".
My experience is that if CISA recommends it, Superintendent's are much more amenable to implementing the recommendation.
Also, if CISA says it, then your independent and NYS auditors won't be far behind in listing lack of multi-factor or two-factor authentication as a deficiency in their technology audits.
As you have gotten better at protecting you physical networks from attack the bad guys have gotten much more creative in launching "Ransomcloud" attacks against your cloud systems and data!
A joint study by Google, New York University, and University of California San Diego found that using MFA can block up to 100% of automated bots, 99% of bulk phishing attacks, and roughly 66% of targeted attacks. Microsoft and the FBI have said that approximately 99% of the attacks are thwarted by implementing MFA.
At this point, realistically everyone one of your users who has a phone is using some form of MFA for one or more items in their lives. My kids are always waiting for the code to appear on mom's phone to download their apps. This is no longer the hardship it was a few years go.
When thinking about MFA, we have to break it into two categories:
Web MFA: You need to turn on MFA for every web page, cloud folder, server or system regardless of whether it is a discrete website, Google Apps for Education or Microsoft Office 365. Start with email and admin functions and Google Drive or OneDrive for Business Functions and continue from there.
Network MFA: You should have MFA on your VPN connections, your remote control sign-ins, your RDP access, your administrator IDs, your sensitive data users, and even your local workstation logons.
We are very high on Cisco DUO MFA. It is a robust solution that easily handle everything I described. Individual web pages may have their own MFA as well depending upon the vendor.
One really nice thing about Cisco DUO is that one user license can be used over and over for as many MFA scenarios as you need.
For instance, you can implement MFA as a requirement for all RDP connections. Then you can implement the same MFA for Google Apps or Office 365. Then you can implement the same MFA for VMware Horizon View and VPN connections. Then you can implement MFA to only prompt on any workstation or server's console login for any administrator type or sensitive data logins, but not for limited rights user logins.
That way you are having a higher standard for the users that expose the district to the most risk and the masses don't have to be harrassed or managed for this extra level of security.
It is time to get MFA done district wide for anything you can MFA inside or outside the district.
If you have questions on how to implement this in your district, give us a call.