Security is important to MySchool, with an already robust system, we are introducing an additional level to your system. We are introducing Multi-Factor Authentication (MFA).
MFA adds an extra layer of protection by requiring a second form of verification, with an authenticator. This ensures that even if your password is compromised, your account remains secure. In this article, we’ll explain how MFA works, why it’s important, and how to set it up.
Please note that if you are using SSO/SAML for your MySchool system, you cannot use MFA, you must contact your SAML provider for further guidance.
How does it work?
MFA requires users to use a third-party authenticator app; the most common ones are Google Authenticator, 2FA and Microsoft.
Your user base needs to have this app available on a mobile device. There is the option to make MFA optional for your users.
Points to consider;
- MFA is applied to your user groups, so determine who will need this activated. We suggest using the inherent groups of staff, students, and guardians.
- The option can be mandatory or optional.
- An enrollment period is required. Decide how long you will give the users to sign up for MFA.
- Communicate with your users before activation, so they can download one of the apps needed.
- Users will still need to use their MySchool password; this will not change. However, if you wish to renew your password policies, this may be the opportunity to refresh these.
Configure your security settings
Open the configuration panel, and on the first tab, Core, open the configure options from the User groups and security settings. Two new permissions will be added to the super user security group (Manage login and password policy and Manage MFA policy)
Let's look at the options available.
Brute force protection
Apply rules to failed logins to determine whether the user account is disabled or disabled for a certain time frame. This will stop bot attempts for login.
When a user enters a false password, the system, by default, will not disable their accounts. You can determine how many attempts the user has before being automatically disabled.
| If the user fails after the set number of attempts, you need to determine what happens to their account status. If you choose 'Disable accounts', the profile must be reset manually via the secuirty tab. |
To reset a user account if it has been set as disabled, go to the security tab on their profile and reset the account status to active. Send them a new password, using send login invite.
Password policy
If you would like to change your password policy, you can adjust this on the MFA configuration panel. If you change any settings, it is recommended to do so at a quiet moment for your school and to forewarn users beforehand. You can reset the whole school's passwords by using the mass invitation screen.
Session management and MFA
If no activity is detected, the default settings are for 1 hour.
If you activate MFA, it is immediate, so make sure you have informed your users.
Determine whether it is mandatory for the users selected or if they can still choose to activate it or not.
Activate MFA on user groups
Open the user groups and activate the MFA enforcement for the members, as explained. It is best practice to apply this to the inherent groups. The enrollment cut-off will give users a time frame to activate their accounts before they become disabled.
Check out this article, which explains how users can activate MFA on their account.
Please note that MFA cannot be activated if you are using a SAML system. You must use your SAML/SSO provider for this option.
Comments
0 comments
Article is closed for comments.