Cell Phone Ban & 2FA/MFA

[Jake Wills]

Question for those schools that already have a ban in place or have worked out a way around this...

Things I know...

• The current policy is ‘Away for the day’ and from the latest bulletin "the expectation of our new coalition Government is that you are ready to implement a cellphone policy that has cellphones ‘away for the day’ as soon as possible in Term 1 2024."
• Accounts are most secure when they use two-factor / multi factor authentication.
• Most of the methods used for 2FA/MFA are the use of a cell phone to either use an authenticator app or (less ideally) receive a text message
• I know that there are usb keys that you can get, but expecting students to use one of them rather than a device they already I don't think is a viable solution (let alone the equity issues that would create... as they aren't the cheapest of devices)

So, with all that said... what solutions are there, other than encouraging students to not use 2FA?

Would love to hear your clever ideas.

[Alistair Baird]

Pen/paper chalk and slate tablet !

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/8ced7db0-f864-4343-81f9-00136b08a4d2n%40googlegroups.com.

--

Kind regards,
Alistair Baird
IT Manager

P  06 354 4198 stpeterspn.school.nz   @stpeterspn 1 Holdsworth Avenue, Milson Palmerston North, 4414

[Jono Green]

It's worthwhile noting that you can do an "MFA outside school network" approach if you're looking to achieve both the Away for the day and also MFA requirement. Conditional Access is reasonably straight forward to set this up in terms of treating your school Public IPs as a named location and any sign-ins that occur outside the school network require MFA.  If you're a Google school then you have the option of establishing Single-Sign-On between Microsoft and Google to take advantage of Conditional Access + other Microsoft 365 A5 Security capabilities. At its most basic, MFA is there to provide additional confidence that you are who you are signing in as rather than ticking a box so the confidence is high for a student signing in from within the network.

Cheers,

Jono

---

From: 'Alistair Baird' via Techies for schools <techies-f...@googlegroups.com>
Sent: Monday, December 18, 2023 3:24 PM
To: techies-f...@googlegroups.com <techies-f...@googlegroups.com>
Subject: Re: [techies-for-schools] Cell Phone Ban & 2FA/MFA

 

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/CAKQ0vHpO3m4vMs9bT2DCKCLkG5QtBq32zqXbsSNqKwfT3%3DEL%2BQ%40mail.gmail.com.

[Jake Wills]

Thanks Jono... that would help a bit... but not solve the problem I've got kids to turn on the MFA for most often which is other kids logging in as them at school. We don't enforce 2FA for our students, and don't have MSFT as our SSO for Google (we use Google SSO for most things)

And yes... they do share their passwords sometimes (read quite often) ... or use the same ones for multiple services... or sometimes their friends just watch over their shoulder while they type it in... 2FA is definitely helpful for all of those issues which definitely happen more at school than at home from when I've tried tracking IP addresses in the past.

But does stop external actors.

[Marlon Yu]

Hi Jake,

 

Not sure if it’ll help but try looking at Authy by Twilio. They have a desktop client that can be installed which negates the need for a mobile phone for MFA. This is our fallback plan for staff who either don’t have a smartphone or refuses to use their personal phone for school MFA. However, we’ve only tested this on Windows PCs. Not sure how that would work if your students were using Chromebooks but might be worth looking at.

 

Marlon

 

From: techies-f...@googlegroups.com <techies-f...@googlegroups.com> On Behalf Of Jake Wills
Sent: Monday, 18 December 2023 5:07 pm
To: Techies for schools <techies-f...@googlegroups.com>
Subject: Re: [techies-for-schools] Cell Phone Ban & 2FA/MFA

 

CAUTION: This email originated from outside of Rangitoto College. Be careful about clicking on links or opening attachments. If in doubt, ask IT.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/46884b79-5292-472c-affc-87c429302100n%40googlegroups.com.

*** RANGITOTO COLLEGE EMAIL DISCLAIMER ***

The contents of this email and any attachments are confidential and may be legally privileged. If you are not the intended recipient please advise the sender immediately and delete the email and attachments. Any use, dissemination, reproduction or distribution of this email and any attachments by anyone other than the intended recipient is prohibited.

*** RANGITOTO COLLEGE EMAIL DISCLAIMER ***

[Andrew Hood]

Marlon - I thought that Authy needed to be linked to a mobile phone number per account? So are you using it for staff who have a mobile phone but not one that supports Google Authenticator etc. or have a mobile phone number but wont use it for school purposes? 

My thoughts on MFA for students were more around Equitable Access, where students using mobile MFA requires a student to have a mobile phone in the first place. 300,000 hardware tokens (say Yubikey) in the hands of teenagers is an interesting problem space.

There are some solutions like LastPass that can create Code Grids that can be printed and used as a secondary challenge. That is what I used for my kids before they got mobile phones that would support Google Authenticator.

A slight side question - what kind of proportion of High School students were bringing mobiles to school every day? 60%? 80%? 99.9%?

Thanks,

Andrew 

[Danielle Vandendungen - MoE]

Hi Jake,

How many of the Chromebooks have fingerprint readers? Could that be an alternative?  Set up & sign in with fingerprint on your Chromebook - Chromebook Help (google.com)

Has anyone looked into or tried Passwordless / passkeys? It will only work for schools that have dedicated devices / don't use a computer lab and would need a recovery plan for if a device was lost/stolen.

What are students stealing/sharing each others' passwords for?

Danielle

[Jake Wills]

Marlon: 

Thanks for that idea... doesn't solve the issue of logging into the chromebook in the first place, but definitely works beyond that... given most of the chromebooks these days can run android apps, that would mostly work... although does defeat the purpose somewhat.

Danielle:

I don't think I've seen any of the kids with a chromebook have a fingerprint reader... definitely none of the shared devices we have at school have them.

We have labs and shared chromebooks for those students that can't / don't have their own device... so passkeys don't work in that situation.

As for sharing / stealing passwords... they do that to "have fun"... i.e. post inappropriate things from other people's accounts because it is "funny"... education is the solution here... and 2FA has always been a part of the education I'd been doing, but without a secondary device (or the secondary device most of them have) allowed at school, makes it a bit harder.

[Jake Wills]

And Andrew... I'd say of our school of 1500, there might be a dozen kids max that don't bring a cell phone every day... and most of them are in Year 9.

We surveyed our students and parents last year about cellphones at school... it was very interesting... 97% of students don’t want phones to be banned at school. The parents were very split (basically down the middle - we got 450 responses, so a fairly high uptake) as to whether students should be allowed cellphones at school... with strong opinions from both ends... the comments were a great read as to the justifications made on both sides for reasons why vs why not.

[Peter Lambrechtsen]

I have done some work with a number of government agencies with TOTP Tokens.

This is for the edge cases for folks who can't / won't use Microsoft Authenticator / Authy or other TOTP based authentication clients for various reasons.

My experience has been the Token2 ones are pretty good, cheap (ish) and "just work".

These ones: https://www.token2.com/shop/category/c301-tokens

We also got these tokens for folks with accessibility issues  https://www.token2.com/shop/product/molto-2-v2-multi-profile-totp-programmable-hardware-token

The advantage of these ones is you can plug into a USB port and it turns up as a HID keyboard, so you press a button on the top and in injects the 6 digits rather than needing to type it. However I have found anyone who has accessibility issues tends to already have a decent phone and prefers to use that.

The advantage of these tokens is they can be re-programmed using a NFC Phone or a NFC Reader plugged into a Windows Desktop. I have picked up an ACR122 off AliExpress for $20 and that works perfectly on my desktop. And I have a nice PowerShell script that generates a TOTP Token, and then uploads it to the hardware token and creates a CSV file ready to upload to Azure. https://gist.github.com/plambrechtsen/f712cedf9ead5015314170600be59fe5

And they work equally as well on Google as an external TOTP hardware token.

Have some (5) eval units I could post to anyone who needed one, these aren't the Token 2 but another vendor we didn't go for, they aren't programmable but I will send the TOTP seed as well and they are free.

Happy to chat about other hardware tokens and my view of them. But going for a programable TOTP token is my strong recommendation as then they can be re-programmed for a new user, resync the time on the token as they tend to drift and can change from a 30 second change to 60 second change.

Cheers, Peter

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/1b415e2d-e766-4031-832f-64e09fc0803fn%40googlegroups.com.

[Marlon Yu]

Hi Andrew,

 

Yes, Authy needs a mobile number per account but this is only required during registration not for using the app. As for our staff, we haven’t encountered a smartphone that is not supported by Google Authenticator yet, but we did have staff who had a mobile phone, just not a smart one 😊  For those who didn’t like using personal devices for school purposes, we just explain to them that the registration is only for verifying that they actually own the account and would not be used beyond the initial account registration (so far no resistance there).

 

Marlon

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/9ac71d98-f33b-4796-8ac9-63c1e52be5e1n%40googlegroups.com.

[Jake Wills]

Thanks Peter.... my concern is we turn every student in every school into "the edge cases for folks who can't / won't use Microsoft Authenticator..." ... but the €20 price point is quite nice.

And while Authy works once set up... because the setup still requires a cell phone, not sure how that would work if they are "away for the day"... so will be interesting to see what the rules actually say once they come out.

Appreciate everyone's ideas around this.