Adam Merry
What actually works when policy, people, and protection collide
I don’t know if you have noticed, but I think Cybersecurity attacks and threats seem to be getting worse??? I joke, but as I say this, more and more it appears that schools are right in the firing line.
Speaking to a number of schools, MFA (multi-factor authentication) is seen as something that is hard to do, while also something schools can’t avoid— In our current research, it shows that bridging the gap between what needs to happen and how it will happen is the challenge.
The problem isn’t just about getting MFA turned on—it’s about making it work in real schools. You’ve got mobile phone bans, shared devices, mixed BYOD setups, and limited IT resources. And somehow, the MFA solution is meant to handle all of that without blowing up the classroom or the help desk.
So, how do you make MFA work without grinding everything else to a halt? Let’s look at what’s actually working—and where schools are getting stuck.
Why MFA matters in today's educational institutions
The rise in attacks is real
Let’s be honest, cyberattacks in schools aren’t hypothetical—they’re happening, regularly. And it’s not just the big city schools or large systems. Regional schools, independent schools, K–12 environments—everyone’s in the blast radius now.
The reality is that schools are holding a lot more data than they used to—student wellbeing information, financial records, family contact details, psychological notes—and a lot of it is still sitting behind single sign-on or basic username-password setups.
The stat we keep coming back to: ransomware attacks in the education sector have gone up by more than 56% annually. That’s not a bump. That’s a trend.
Our research outlined that "schools are increasingly accountable in society and are full of rich, sensitive data including financial, medical, psychological, and family information".
Compliance expectations are growing
Security is no longer just an internal IT project—it’s now tied to board-level reporting, cyber insurance renewals, and regulatory alignment. MFA has moved beyond a "recommended control" into the realm of minimum viable compliance.
Since 2023, we’ve seen more schools directly aligning with ISO27001 and NIST-style frameworks, not just referencing them in policy but building them into their operating model. It's a shift from quietly aspiring to maturity into being expected to prove it.
And make no mistake, MFA is on every checklist.
Passwords don't cut it anymore
There’s a difference between password hygiene and password reality. And in schools, reality wins.
Here’s what we still see far too often:
- Kids using the same four-digit password from Year 3 to Year 12
- Shared logins between classmates "because it’s easier"
- Staff using personal passwords across multiple platforms
- Phishing attempts disguised as school admin messages landing daily
No MFA means one mistake opens the door. MFA means that same mistake gets stopped at the second gate. It’s not perfect—but it dramatically cuts risk. And that’s what we’re after.
Why schools struggle with MFA
Every device environment is a bit of a patchwork
There’s no standard-issue model when it comes to devices in schools. You’ve got:
- Fully managed laptops for juniors
- Shared or partially locked-down devices in middle years
- BYOD chaos in senior years
And that’s before you factor in different platforms—Windows, ChromeOS, iPads, random Android devices. MFA tools built for corporate fleets usually fall apart under that level of variety. Schools need MFA that can flex across environments without needing five different policy sets.
Mobile policies don't match MFA expectations
Here’s where things go sideways fast: most MFA systems assume users have a mobile phone. In schools:
- Phones are banned
- Students don’t always have one
- Even if they do, school policy often prevents them being used
So, schools get stuck—told to roll out MFA while also being expected to avoid mobile-based solutions. It’s no wonder that our research found that:
"Implementing MFA has become a nightmare.", "You're expected to implement stronger security measures while simultaneously restricting the very devices many MFA solutions rely on".
Age matters more than tech companies realise
There’s a reason schools scaffold their digital tools. Our research shows schools increasingly recognise the importance of “age-appropriate scaffolding”. A login flow that works for a 17-year-old doesn’t translate to a Year 3 student.
If your MFA rollout doesn’t account for developmental stages—attention span, cognitive load, language—it’s going to frustrate users, create more help requests, and eventually get ignored.
Shared devices aren't going anywhere
Not every student has their own device, and shared machines still exist everywhere—library desktops, science lab carts, casual-use laptops in classrooms. MFA systems that assume every user has a dedicated device just don’t work here.
"Schools with fully managed device programs cite less learning downtime as a key benefit, noting that loaner devices ensure minimal disruption if a device is damaged, and automated updates maintain usability."
MFA needs to support that same flexibility—without adding extra steps that disrupt learning.
Teachers don't have time to troubleshoot logins
Classroom time is tight. If MFA gets in the way of starting a lesson—or causes students to get locked out—teachers will either bypass it or stop using the platform altogether.
Our research confirms this "remains a primary concern, with teachers not getting on board due to resistance to change."
If it’s clunky or inconsistent, MFA won’t survive long in the classroom.
School IT has no bandwidth for high-maintenance systems
In most schools, the IT team is already under water. New projects, software rollouts, password resets, printing issues—you name it, they’re doing it. Adding a new MFA system that requires constant adjustment or support just doesn’t land.
"Hiring competent staff is the biggest problem in schools. That's the hardest thing to get right. Schools are a very unique environment to work in. You need a unique set of school skills."
In this context, the only MFA that works is the one that stays out of the way. Simple, predictable, low-touch—every time.
How schools are getting MFA right
Start small, the expand
A staged rollout works best. Start with admin users, then move to teachers and older students. This allows for troubleshooting early and avoids mass disruption.
It also mirrors how most schools handle device policies across cohorts, which makes support easier.
Make it make sense to every group
Successful rollouts happen when communication is clear and simple. That means different messaging for staff, students, and parents.
Avoid jargon. Be direct. Show people how it protects them and what they need to do. Setup guides, quick videos, and visual walkthroughs can make a huge difference in adoption.
Train and support early
Your help desk (or help person) should be equipped from day one with:
- Common FAQs
- Troubleshooting scripts
- Drop-in support options
- Role-specific guides for students and staff
"Schools that successfully implement MFA typically invest in comprehensive support documentation, video tutorials and regular drop-in sessions..."
A little prep saves a lot of chaos.
Use contextual, risk-based authentication
Not every login needs the same level of security. Smart MFA platforms let you apply context to your authentication rules.
"Successful education MFA implementations typically employ risk-based authentication that considers location, device, and activity patterns..."
That means:
- Allowing easy access on school-managed devices
- Adding checks when off-campus or on unknown devices
- Adjusting based on user roles (e.g. staff vs students)
Solutions like SureDeploy, integrated with Microsoft Intune, make this kind of flexible approach simple to manage.
Integration is everything
If your MFA system doesn’t connect to your existing tools, it’s going to double your admin overhead. Schools are increasingly looking for solutions that tie into Microsoft 365, Entra ID, and their existing device management setups.
"Our research indicates schools increasingly seek 'all-in-one' solutions that combine key security, compliance, and management features into a unified platform."
Fewer tools. Less friction. Smarter management.
There are MFA options that don’t need phones
Most schools still default to the idea that MFA = phone. Push notifications, SMS codes, authenticator apps—great in theory, completely misaligned with how schools actually work.
And if students don’t have a phone? Or they’re not allowed to use one? The whole model falls apart.
There’s still a widespread belief that biometric MFA requires a personal phone for initial setup, like Windows Hello. It doesn’t. That misconception is getting in the way of real progress.
SureDeploy, for example, is designed to work on school-managed devices from the start—no phones required, no dependency on student-owned gear.
Here’s what that actually looks like in the real world:
- Logins using facial recognition or fingerprint scanning on school laptops
- USB keys or smart cards that stay at school or home
- Rules that automatically trust known school networks
- Behaviour monitoring that only steps in when something feels off
It’s not a workaround—it’s how MFA should work in schools. No phone assumptions. No policy conflicts. No expecting a 10-year-old to get through a second-factor prompt on mum’s iPhone.
The schools that are doing this well aren’t waiting for workarounds—they’re leading with mobile-free MFA as a baseline. It simplifies rollout, supports consistent experience, and removes a massive blocker before it ever becomes a problem.
Making MFA a help, not a hurdle
MFA isn’t just about ticking off compliance checklists. When it works properly, it’s a background player that makes everything smoother—for staff, students, and IT. It’s not about security theatre—it’s about systems that quietly do their job.
Here’s what we’ve consistently seen when it’s set up right:
- Security incidents drop
- Phishing attempts don’t get traction
- The password reset queue stops overflowing
- Teachers stop treating tech like it’s out to get them
- Students start to expect MFA as part of their normal routine
Done well, MFA becomes invisible—until it matters. That’s the goal.
The idea that you need a full infrastructure overhaul or have to relax your phone policies just to get proper MFA in place? Completely wrong.
It doesn't have to break policy or budget
One of the biggest blockers schools still run into is the myth that proper MFA needs to come with a new stack of infrastructure—or a compromise to mobile phone policies. It doesn’t.
Schools think they need to open the door to personal devices to get strong authentication in place. But that only happens when the tools aren’t built for schools in the first place.
Modern platforms like SureDeploy are designed to work inside school environments—not around them:
- Works entirely on school-managed devices
- No dependency on student phones
- Integrates with existing identity systems
- Rollout can be staggered to match resources
If your MFA rollout feels like it’s breaking everything else to get across the line, it’s probably not the right fit. The right solution will fit the school—not the other way around.
Wrapping up
Let’s not overcomplicate it—MFA is no longer optional, but that doesn’t mean it has to wreck your teaching day, your policies, or your IT team’s sanity.
You don’t need to run an enterprise environment to get this right. What you need is an approach that works with the age groups, devices, and staffing reality you’ve got. And you need it to run quietly in the background—no dramas, no disruption.
The schools doing this well aren’t chasing complexity. They’re choosing tools that slot into their environment, that respect their constraints, and that just work.
You can absolutely get there:
- Keep systems secure
- Support teaching, not slow it down
- Honour your phone policies
- Avoid creating another support burden
Strong MFA isn’t about ticking a box. It’s about making access smarter, safer, and smoother—for everyone.
Want to see how leading schools are reshaping device and access strategies?
Check out our whitepaper: Beyond BYOD: Redefining Device Strategies in Australian Independent Schools.
Security done right doesn’t slow you down. It gets out of the way and lets you get on with it.
Does your device management approach reflect the latest trends in educational technology? Learn how independent schools across Australia are evolving their strategies in our whitepaper, Beyond BYOD: Redefining Device Strategies in Australian Independent Schools.
