MFA in Schools – Protecting Staff Accounts and Reducing Cyber Risk

Multi-Factor Authentication (MFA) is one of the most effective ways to reduce the risk of account compromise in schools. Most successful incidents in education still start with common methods like phishing or stolen passwords – not “Hollywood hacking”. Requiring a second sign-in step makes it far harder for an attacker to access Microsoft 365, Google Workspace and other systems, even if a password is leaked.

The DfE’s Cyber Security Standards for schools and colleges specifically call out MFA as a key control for protecting accounts. The NCSC also provides detailed guidance on MFA and recommends stronger, phishing-resistant approaches where possible.

For schools and multi-academy trusts, a cyber security audit from Classroom365 can highlight where MFA, patching, and access controls need tightening.

mfa for schools

Need advice on MFA options?
Book a consultation.

Get in touch

What is MFA in a school context?

MFA is also commonly called 2FA (two-factor authentication). In practice, schools usually use the terms interchangeably, although MFA can include more than two factors.

MFA (multi-factor authentication) means users must provide two or more proofs of identity when signing in, usually:

  • Something you know (password).
  • Something you have (app prompt, code, token, security key).
  • Something you are (biometrics like fingerprint/face on a managed device).

In education, MFA is most commonly used to secure:

  • Staff email accounts (Microsoft 365/Google Workspace).
  • Admin portals.
  • MIS, finance and HR systems.
  • Safeguarding and pastoral systems.
  • Remote access and VPNs.
multi factor authentication mfa guide for school staff

Why MFA Matters for Schools and Multi-Academy Trusts

Schools hold large volumes of sensitive information (pupil data, safeguarding records, staff HR data). A compromised account can quickly lead to:

  1. Email account takeover (sending convincing phishing internally).
  2. Data exposure via SharePoint/OneDrive/Google Drive.
  3. Business email compromise (fraud attempts targeting finance).
  4. Lateral movement into other systems.
  5. Ransomware-related disruption after initial compromise.

MFA is one of the simplest “high-impact” steps schools can take to reduce this risk, and it aligns with DfE expectations. Because many account takeovers start with phishing, we also recommend schools run phishing simulations to identify risk and improve reporting behaviour.

MFA is an important part of ransomware protection because it helps prevent attackers from using a stolen password to access your accounts and spread disruption.

Enquire About Our Cyber Security Services

This field is for validation purposes and should be left unchanged.
Choose one or tell us more
Consent (Required)
Newsletter

Where to Start – Who Should Have MFA First?

If you’re rolling out gradually, prioritise the accounts that create the most significant risk if compromised:

Phase 1 (priority accounts)

  • SLT and headteacher accounts.
  • School Business Manager and the finance team.
  • DSL and safeguarding leads (where accounts access safeguarding platforms).
  • IT admins, global admins and super admins. These roles are different and should be handled carefully.
  • Staff with access to payroll, HR, admissions, exclusions and sensitive exports.

Phase 2 (all staff)

  • Teachers and support staff with email and cloud access.
  • Site team accounts with access to systems.
  • Shared service accounts (ideally replace with named accounts + delegated access).

Students

Student MFA can be appropriate in some cases, but schools often start with staff first and then assess student MFA based on age, device model and operational impact.

setup of mfa in the education sector

MFA (2FA) Methods – What Works Best?

Not all MFA methods offer the same protection. The NCSC has highlighted that some methods are more resistant to phishing than others, and recommends stronger approaches where possible.

Authenticator app (common choice)

  • Prompt approvals or time-based codes.
  • Usually quick once staff are used to it.
  • Good balance of security and usability.
  • Microsoft supports MFA setup and commonly uses the Microsoft Authenticator app for sign-in verification.

Hardware tokens/code fobs (great for schools that avoid personal mobiles)

  • No personal phone required.
  • Consistent sign-in process for staff.
  • Ideal for staff who don’t want app-based MFA.

Security keys/passkeys (phishing-resistant, best for high-risk accounts)

  • Physical key (USB/NFC) or device-bound passkey.
  • Strong protection against credential phishing.
  • Excellent for admin, finance and SLT accounts.

SMS codes (not ideal, use only if needed)

  • Better than no MFA at all!
  • Generally weaker than app/key options, and can be more vulnerable to social engineering.

Classroom365 recommends the Yubiko series of security keys, available at retail prices starting from £25.00 (ex VAT), with education discounts available. Insert into your device via USB-C, or authenticate by NFC – they are the most secure way to enforce MFA.

Book a Free Cyber Consultation with our Security Team
mfa setup and implementation for school staff

MFA for Microsoft 365

Most email compromises we see involve Microsoft 365 accounts, so it’s worth getting the basics right:

Recommended approach

  1. Enforce MFA for all staff (or at minimum all privileged/high-risk users).
  2. Protect admin roles first.
  3. Use Conditional Access policies where appropriate (MATs often benefit most here).
  4. Microsoft’s admin guidance covers setting up MFA and moving from “security defaults” to Conditional Access policies for more control.

Common school pitfalls

  1. Shared admin accounts (move to named accounts + role-based access).
  2. “Break glass” accounts not handled safely (should be tightly controlled and monitored).
  3. MFA exemptions created for convenience and never reviewed.
  4. Staff locked out due to poor rollout planning.
yubico usb security keys for schools

Cyber security resilience starts with the basics: secure configuration, MFA enforcement, backups and incident response. Use our checklist to quickly assess where your school or MAT is strong and what needs attention.

Free Download: School Cyber Security Health Check Checklist (PDF, opens in a new tab)

MFA for Google Workspace for Education

Google refers to MFA as 2-Step Verification (2SV). You can roll it out by organisational unit (OU) or groups and then enforce it once staff are enrolled. Google’s Admin documentation includes guidance on deploying and enforcing 2-Step Verification and on avoiding lockouts when enforcing it.

Common school pitfalls

  • Enforcing 2SV before staff have enrolled (can cause lockouts).
  • Mixed device estate with limited sign-in methods (plan by OU).
  • Admin accounts are often not protected first.
mfa app in schools

Making MFA Workable in Education

MFA succeeds when it’s treated as a change management project, not just a technical setting.

Accessibility and SEND considerations

The DfE standards note that MFA may not be accessible for some users, and SLT should discuss alternatives or additional support.

Practical adjustments can include:

  1. Using hardware tokens instead of apps.
  2. Providing step-by-step sign-in guides.
  3. Offering short 1:1 onboarding for staff who need support.

Practical rollout steps that reduce friction:

  1. Start with a pilot group (SLT + office) and fix issues early.
  2. Provide a simple “how to sign in” one-pager.
  3. Set a clear deadline and staged enforcement.
  4. Decide your “no personal phone” approach (tokens/key options).
  5. Ensure the helpdesk is ready for the first week of rollout.
google and microsoft authenticator app for schools

How Classroom365 Can Help

Classroom365 supports schools and MATs with MFA as part of wider cyber security support:

  • Review your current Microsoft 365/Google Workspace MFA status and risks.
  • Recommend the best MFA method (apps vs tokens vs security keys).
  • Configure policies (including Conditional Access where appropriate).
  • Support rollout planning, staff guidance and helpdesk onboarding.
  • Ongoing monitoring and account protection improvements.

If you’d like, we can also advise how MFA supports Cyber Essentials alignment and helps reduce phishing-led compromise risk (particularly for admin, finance and safeguarding-access accounts).

Frequently Asked Questions (FAQ)

What is two-factor authentication in education?

Two-factor authentication (2FA) is a sign-in method that requires two checks to access a school account – usually a password plus a second step such as an app approval, one-time code, hardware token or security key. In education, 2FA is used to protect staff email, Microsoft 365/Google Workspace, MIS and other systems, reducing the risk of phishing-led account compromise.

Will MFA stop phishing completely?

It significantly reduces risk, but it’s not a silver bullet. Staff training, secure configuration and monitoring still matter. The NCSC recommends stronger MFA options where possible because not all MFA methods offer equal protection against phishing.

How does MFA help protect your school account?

MFA (multi-factor authentication) adds an extra sign-in step, so a stolen password alone isn’t enough to access your account. This makes it much harder for attackers to take over staff email and cloud storage, send phishing from your account, or access sensitive school data. It’s one of the most effective controls against the most common attack type in schools – phishing.

Is 2FA the same as MFA?

In most school settings, people use the terms interchangeably. 2FA means two factors (password + one more step). MFA means multi-factor and can include two or more steps. In practice, when schools say “enable 2FA”, they usually mean “turn on MFA” for user accounts.

How do I add my school account to Microsoft Authenticator?

Install Microsoft Authenticator on your phone, then add your school account using the method your school provides (usually a QR code):

  • Open Microsoft Authenticator.
  • Tap Add account → Work or school account.
  • Choose Scan a QR code (or Sign in if prompted).
  • Follow the on-screen steps to complete setup.

If you don’t have a QR code or get stuck, your IT team/Classroom365 can reset registration and guide you through the correct setup for your school’s Microsoft 365 security settings.

Can we enforce MFA in Google Workspace?

Yes – Google Workspace supports enforcing 2-Step Verification after users are enrolled.

Do we need MFA for every school staff member?

Best practice is yes – start with higher-risk accounts (SLT, finance, admin, IT admins) and roll out to all staff. MFA is a key control referenced in the DfE Cyber Security Standards.