The MFA Reality Check - Why Only 30% of Schools Have It Properly Enabled

Authentication SecurityEducation SecurityMFA
Written By Mauven MacLeod

This is part 3 of our week-long series based on The Small Business Cybersecurity Guy podcast. [Listen to the full episode here] - This episode is sponsored by Authentrend, whose FIDO2-certified security keys provide the hardware token solutions discussed in this article.

The Uncomfortable Truth About School Security

We discussed in Part 1 of our Kido coverage that only 30% of schools have Multi-Factor Authentication (MFA) enabled. But the reality is even more complex and troubling than that statistic suggests.

Because often what schools call "MFA implementation" is actually partial MFA that doesn't provide the protection they think it does.

The Partial MFA Problem

Here's what typically happens: Schools have enabled MFA for specific roles, such as the head teacher and SENCOs, but not for all staff members. Teaching assistants and admin staff often don't have it. Sometimes even IT technicians don't have proper MFA enabled.

As one expert noted: "Because often what I see is partial MFA implementation. Schools have enabled it for specific roles, such as the head teacher and SENCOs, but not for all staff members. Teaching assistants, admin staff, and sometimes even the IT technician don't have it."

From a security perspective, basic security hygiene means everyone with access needs MFA. If it's not set for everyone with system access, you're not protected.

The Phone Conflict: Security vs. Safeguarding

There's a genuine conflict here. Security mandates the use of MFA, with phones being the easiest way to implement it. The safeguarding policy states that no phones are allowed in the vicinity of children.

How do you navigate that contradiction?

As one school safeguarding expert explained: "So there's a conflict. Security mandates the use of MFA, with phones being the easiest way to implement it. The safeguarding policy states that no phones are allowed in the vicinity of children. Tammy, how do you navigate that?"

The answer involves hardware tokens and authenticator apps on shared devices. But these solutions present practical barriers that slow implementation.

Why Schools Struggle with MFA

The Practical Barriers:

  1. Phone policies - Many schools ban staff phones in classrooms for safeguarding reasons. Authenticator apps require phones.

  2. Cost considerations - Hardware tokens and authenticator apps on shared devices are available options, but the phone conflict is a real practical barrier.

  3. Lack of understanding - Most schools don't realize they need MFA for nobody, no half measures.

  4. Platform limitations - Not all platforms used by schools properly support MFA on all devices.

  5. Supplier responsibility - If it's the platform that doesn't support MFA, blame the supplier. It was available when they first migrated to it, so by the time the supplier made it available, they had set it up across all their schools and whitelisted the IP addresses.

The Email and Ring-Fencing Problem

The MFA and ring-fencing capabilities we're discussing are currently primarily available for email systems. For schools, email is critical, but not everything else.

Email is where most phishing happens, so it's solving everything, but email is critical.

However, there's a broader question: What about the platforms themselves? Is MFA available on all the devices schools use?

The answer: Good question. The MFA and ring-fencing capabilities we're discussing are currently primarily available for email systems, and I know that Arbour has it. So it's not solving everything, but email is critical.

The Takeaway: MFA for Everyone or MFA for Nobody

Right. And if your current setup doesn't allow that, you need to change your setup. Because partial protection is no protection.

The principle is simple: If someone can authenticate without being challenged for their identity beyond a password, that's a vulnerability. It doesn't matter if they're the head teacher or a part-time administrator.

As security experts emphasize: "Right. And if your current setup doesn't allow that, you need to change your setup. Because partial protection is no protection."

Solutions That Actually Work

Hardware Tokens:

Hardware tokens, authenticator apps on shared devices are available options. But the phone conflict is a real practical barrier that slows implementation. That's a genuine problem. And schools need to work out solutions. Hardware tokens and authenticator apps on shared devices are available options. But they need to think about it now rather than later.

For schools facing the phone policy conflict, FIDO2-certified hardware security keys (like those from Authentrend and other providers) offer a practical solution. These small USB or NFC devices provide MFA without requiring phones, fitting naturally with safeguarding policies that prohibit phones around children. Staff can keep them on lanyards or key rings, tap or insert them when logging in, and maintain both security and compliance.

In-Person Data Protection Training:

There is light at the end of the tunnel if it's in the guidance. However, there is a light, even if it is in-person data protection training for headteachers and trust leads. Yesterday, I asked the question about whether MFA was available when they first migrated to it. They said because it wasn't available when they first migrated to it, so by the time the supplier it was available, they had set it up across all their schools and whitelisted the IP addresses.

Conversations with CEOs:

The conversation was with the CEO that these conversations must happen at that level and are effective when they do occur. How did this happen so quickly?

What Schools Should Ask Their IT Providers

  1. "Why pay an IT company, they must be dealing with the DIE Digital Standards on our behalf?"

    • Oh, constantly. They say "We pay an IT company, they must be dealing with IT security." But that's not how it works.

  2. "What do the standards actually say?"

    • The standards are very clear. It's up to the organization, the school, to ask the questions. "Are we meeting this standard? How do we meet this standard?" Your IT provider should help you meet the standards. However, the responsibility for verification remains with the school leadership.

  3. "Who in the school should be doing that verification?"

    • Ideally, the governing body should have a digital lead. The head teacher and senior leadership need to be asking the questions. The school business manager often ends up coordinating it. But ultimately, it's a whole-school responsibility.

  4. "So even if you're paying thousands of pounds a year for IT support, you still need to verify compliance yourselves?"

    • So even if you're paying thousands of pounds a year for IT support, you still need to verify compliance yourselves.

The Governance Gap

Who in the school should be doing that verification? Sorry for laughing earlier, but speaking from my day job when the SMT of a Managed Service provider, I can assure you that NO MSP will take responsibility for a customer's IT security, we make recommendations and then implement them when they are approved. We might even monitor them as well; however, we will NEVER take responsibility for them beyond that work. It would be an insane commercial liability.

As one MSP representative explained: "Sorry for laughing earlier, but speaking from my day job when the SMT of a Managed Service provider, I can assure you that NO MSP will take responsibility for a customer's IT security; we make recommendations and then implement them when they are approved."

Discuss Alternatives with Your IT Provider

Schools that are struggling with phone-based authentication should discuss alternatives with their IT provider: hardware tokens, authenticator apps on shared devices. There are solutions, but you need to actively ask for them. Don't let the phone rule be an excuse for not having MFA enabled. If it's not set for everyone with system access, you're not protected.

Ask your school or nursery direct questions:

  • Do you have MFA enabled for everyone?

  • How will the staff get cybersecurity training?

  • Do you have any custom software? If so, where is the code stored?

  • Where is your incident response plan, and when was it last tested?

The Alternative is Unacceptable

They might not like those questions, but they need to hear them. Because the alternative is being the next Kido, and nobody wants that. And now that cyber is officially part of safeguarding, parents have every right to ask these questions.

Key Takeaways

  • Only 30% of schools have MFA properly enabled, and many have only partial implementation

  • MFA for everyone or MFA for nobody - partial protection doesn't work

  • The phone safeguarding policy creates genuine conflicts with security requirements

  • Hardware tokens and authenticator apps on shared devices are viable alternatives

  • IT providers make recommendations but schools must verify compliance themselves

  • Parents now have every right to ask these questions as part of safeguarding

Source Title Date
National Cyber Security Centre Multi-factor authentication for online services October 2025
UK Department for Education Keeping Children Safe in Education 2025 - Cybersecurity Standards October 2025
FIDO Alliance FIDO2 Authentication Standards October 2025
Authentrend Authentrend Security Key Solutions October 2025
Podcast discussion School Safeguarding Phone Policies October 2025
Podcast discussion UK School MFA Implementation Statistics October 2025
Mauven MacLeod
Next

When Six Ministers Co-Sign a Letter to Your CEO, It's Time to Listen