Information Security in Education and Two-Factor Authentication

This is just a quick one for Monday morning. Last week, when I talked about Information Security, and Becta’s guidance, at the Learning Gateway Conference, there was quite a bit of interest in the two-factor authentication that would be required for all teacher access to sensitive data from outside the school (eg if they are accessing your MIS and Learning Platform from home).


It’s a subject that’s way beyond my technical abilities, so I went to see what information I could find (that was intelligible to me!) and found an article on our TechNet site about our use of Smart Cards.

The way it works for me (as a user) is that when I login via our VPN connection from home, I have to also put my Smart Card into my laptop. So it means that even if somebody had my username and password, and even my laptop, they couldn’t access our internal systems without also having my Smart Card (and of course, this works because I don’t keep my Smart Card in my laptop bag. Ever. Honest.)

The article is all about the use of Smart Cards by Microsoft IT (the people that keep our network running and secure). It includes information about the problem, solution design, the deployment and shares the lessons we learned along the way. So if you are in a school or Local Authority, and thinking about how you improve your Information Security, then it makes a relevant and fascinating read.

Read the full story online, or download it.

It is also based on the previous, rather than the next, versions of our products, which makes it much more likely to match your own current IT environment!

If you want to read more, there’s a whole section devoted to sharing our stories of how Microsoft IT implements security

Comments (3)

  1. neiladam says:

    The TechCrunch article on the recent Twitter internal security collapse shows that the biggest security problem is people. As the quote above says, "his works because I don’t keep my Smart Card in my laptop bag. Ever. Honest."

    2-factor authentication adds another layer for users to get wrong, to get hacked off with and then to ignore by writing stuff down or using obvious/shared info as much as possible so as to simplify their own lives.

    I have around 120 sites etc. with password access. I have to have a document with coded versions of key details to keep track of all that. Nevertheless, too many of the less important sites use same password. Imagine having 120 smart cards for each of those ;-(

    Beyond a certain level, if you try to make data *more secure*, it will become *less secure* because users will stop caring because the security is too much hard work – they will find ways to circumvent.

    TC link

  2. Jon Nowicki says:

    2 factor maybe overkill and lead to people not using Learning Platforms. If we look at MLG. A teacher logs on using a login and password, its a site that uses https the same as your bank. Where you go will be permissioned (hopefully). If you then need to access student information you could then have to login further to that information on a specific site. Again what you see as a teacher is what your allowed to see, no more or no less. If you have to input then you may need to add a further password.

    Again you can build in, logouts if not used for 5 minutes. All of this is similar to systems banks use.

    We have to make it secure but accessible especially for teachers.

  3. I stand by my answer at the Learning Gateway Conference where I said that you do *not* need two-factor authentication to get into Learning Platforms … but that is because I don’t count a single application (eg Sharepoint) to be the whole of the platform … otherwise do I need it to get into, digg, wikipedia, etc? These are all tools that we use for online learning …

    I think it is more the case the Jon has put forward, we need to specify what data needs protecting and then protect it, rather than just sticking a big fence around the whole lot.

Skip to main content