.svg)
Learn how to improve the security of your organization with MFA.
In this article
What are Passport Login and MFA?
To improve security for non-admin users such as teachers and students, you can set up the Passport Login - School Passport MFA feature.
What are Passport Login and MFA?
Multifactor authentication (MFA) is the most secure login method that requires the user to verify their identity for login. MFA combines two multiple authentication factors. It is a method used to confirm your identity and grant access securely. For example, you can add authentication factors to log in, such as face recognition, making it hard for attackers to bypass.
The Passport Login is a power tool that allows you to activate MFA for teachers and students. Using Passport Login ensures that access will be granted only if user successfully authenticates using the established authorization factors. This tool significantly reduces the risk of unauthorized access and protects against potential data breaches.
Supported authentication factors
The default authentication method for School Passport access is username and password. With Passport Login, you can add an extra layer of security with the following authentication factors:
- AD LDAP (only first factor)
- Face ID (only second factor)
- ID Card (QR Code/Badge)
Requirements
- Primary District Admin permissions are required.
- Set up any IdP, such as Google or Microsoft 365, as an additional login method to enable MFA.
- Activate AD LDAP for using Active Directory LDAP as an authentication factor.
Turn on Passport Login
Passport Login enables you to easily manage MFA for both students and teachers, adding an extra layer of protection.
- Navigate to Connect > Administration > Login Methods > Passport Login.
- Turn on Activate School Passport Login toggle.
- Configure MFA for teachers or students.
- Click Save.
Configure MFA for teachers
- Navigate to Connect > Administration > Login Methods > Passport Login.
- (Optional) Turn on the Activate School Passport Login toggle.
- On the Teacher Authentication section:
- In the First Factor, select the primary method of authentication.
- In the Second Factor, select the secondary method of authentication.
- (Optional) In the Grace Period, set a time during which teachers can access their accounts without needing to complete the MFA. If empty, MFA will be required for each login.
- Click Save.
Configure MFA for students
MFA for students can be customized depending on their grades. In addition to the primary MFA, you can define alternative methods for each grade separately. These settings will be applied to the chosen grade level and lower, instead of the primary one. For example, if Active Directory and QR Codes were set as primary methods, and Face ID is an alternative MFA for grade 6, then students for grades 1-6 should use Face ID. Grades 7-12 use Active Directory and QR Codes instead.
If alternative methods are added for different grades and the student's grade meets these conditions conditions, then the student will use the method that is closest for their grade. For example, if alternative methods are set for grades 7 and 8, then students with grade 5 will use the alternative method set for grade 7 as it is the closest for their grade.
Note: You cannot use alternative methods without any primary method set up.
- Navigate to Connect > Administration > Login Methods > Passport Login.
- (Optional) Turn on the Activate School Passport Login toggle.
- On the Student Authentication section:
- In the First Factor, select the primary method of authentication.
- In the Second Factor, select the secondary method of authentication.
- (Optional) In the Grace Period, set a time during which students can access their accounts without needing to complete the MFA. If empty, MFA will be required for each login.
- (Optional) Click Add Alternative Method and add an alternative factor to simplify authentication for younger students.
- Click Save.
Check MFA for an individual user
To review which MFA methods were enabled for individual users, navigate to the Data Browsing, locate the teacher or student record, and then go to the Access Management tab. Here, view all activated MFA methods and reset Face ID if needed.
