Cyber security

Implementing multifactor authentication (MFA) for students at NCG

By Hannah Marshall, Director of Information and Data Services at NCG

On Thursday 30th September NCG implemented MFA on Microsoft 365 for all students, no exceptions. You might think why not a phased rollout? With over 40,000 student accounts in our Microsoft Tenancy across our seven colleges we simply couldn’t resource a phased rollout, and to be honest having any accounts not protected with MFA in our tenancy was a significant risk for NCG.

When I first started discussing implementing MFA for students with colleagues at NCG, which if my memory serves me correctly was in January 2021, there was a real sense of caution about it although with an acknowledgement that it was the right thing to do given the current risks being faced in the Education sector. There were questions about how students who didn’t have access to a mobile or digital device would access MFA and what about those learners who needed to be supported on site?

Now, as you know, MFA isn’t just specific to Education or indeed Microsoft, so although your students might not realise it, they are probably already using MFA with their personal accounts and for those that enjoy online gaming they are too, so the concept will be familiar to them even if they do not recognise the terminology. I did test this thinking and discussed the implementation of MFA with some of our students in Carlisle College. I did get a puzzled look when I mentioned the term but once I explained the concept there were a lot of nods around the room when asked if they already used it on their personal accounts.

The biggest consideration when rolling out MFA to colleagues across NCG, which is now fully complete, was how to limit disruption to teaching and learning across our seven colleges.

Having the A3 Microsoft licencing model allowed us to create a conditional access policy to prevent authentications being required on site as it was set as a trusted location, which has been great for MFA adoption and this would also be in place for students. This made it a much easier engage with our Executive Board/Principals as it meant our students wouldn’t need to authenticate unless they were working off campus.

We also put in some additional support measures, which were welcomed by the colleges, specifically for students which included:

  • A range of guides and videos on how to set up and use MFA. This was done in collaboration with our Marketing and Communications team to ensure we had the messaging right for our students.
  • The creation of a shared mailbox for students to email any questions or support requirements they had with MFA.
  • As MFA approval would only be required off site, we extended our ServiceDesk cover into the evening for a period of four weeks.

So, if you are sat there thinking about tackling those conversations about MFA for students, whether that be Microsoft or another solution, then here are my top three pieces of advice:

  • Get Exec/Principal support – this has to be led from the top.
  • Students are more than likely already using MFA and if they aren’t then you are providing them with not only life skills but skills they can take to the workplace, as most organisations will now use MFA.
  • Following implementation, we only had a handful of queries which shows that students, whether they know it or not, are familiar with MFA.

Leave a Reply

Your email address will not be published.