Account Security in K-12

Written By Cody Campbell

TL;DR: Strong identity is the foundation of K-12 security. Use a password manager (we use Bitwarden), enforce phishing-resistant MFA wherever you can, prefer SSO with strong Conditional Access, stop forced password resets unless there’s evidence of compromise, and plan for recovery before you need it. (Break-glass accounts, recovery codes, backup security keys.)

Why this matters (our K-12 threat model)

  • Phishing against staff and students (credential theft → inbox rules → invoice/payment fraud, grade tampering, data exfiltration).

  • Password reuse across personal apps and school systems.

  • Session hijacking and push-bombing attacks against weak 2FA.

  • Lost/stolen devices (teacher laptops, student iPads).

  • Account lifecycle drift (alumni, substitutes, contractors).

Principles we follow

  1. Consolidate identity (SSO) and raise the bar for authentication (MFA).

  2. Make good security the easiest option (password manager, passkeys).

  3. Minimize blast radius (least privilege, per-app rules, short sessions).

  4. Prepare to recover (backup factors, break-glass, logging).

Passwords & the “no more forced resets” question

Modern guidance: long, unique passwords (or passphrases), screened against breached lists; stop forcing periodic changes unless there’s evidence of compromise. NIST explicitly permits long passphrases and advises against arbitrary periodic resets; instead, change when there’s a reason (compromise, role change, elevated risk). NIST Pages+2CoNetrix+2

What we enforce

  • Minimum length 12–16 for staff, higher for admins; allow spaces to support passphrases. NIST Pages

  • Breach screening (block known-compromised passwords). NIST Pages

  • No composition gimmicks (no mandatory symbol/number games). NIST Pages

  • Rotation only with cause (compromise, job change, vendor breach). CoNetrix

Password manager (Bitwarden) roll-out strategy

Why: unique passwords per site without cognitive pain; shared Collections for teams; fast revocation when staff leave.

Bitwarden org policies to consider

  • Require 2-step login for all org members (enforce at the org level).

  • SSO for vault login (SAML/OIDC with Google or Entra ID) so offboarding is one click.

  • SCIM provisioning for automatic join/leave.

  • Disable “weak” export surfaces for org vault if not needed.

  • User type hygiene: limit who can create org Collections.
    Docs: Bitwarden Policies & Enterprise features. Bitwarden+2Bitwarden+2

TOTP in the same vault?

  • For low/medium-risk accounts, storing TOTP alongside the password is pragmatic for staff training.

  • For admin and high-risk systems, prefer a separate authenticator app or hardware key (defense in depth).

MFA/2FA: climb the strength ladder

From weakest → strongest (practical view):

  1. SMS codes – works everywhere but vulnerable to SIM-swap and phishing.

  2. TOTP apps (Google Authenticator, Raivo, Bitwarden Authenticator) – better, but still phishable via real-time proxy pages.

  3. Push apps with number matching – reduces push-bombing risk.

  4. Security keys (FIDO2/WebAuthn)phishing-resistant; USB-A/C + NFC models work on most devices.

  5. Passkeys (platform or synced) – easiest UX; phishing-resistant by design and built into major OS/browsers. CISA+1

What we standardize on

  • Staff/students: TOTP app baseline (Google Authenticator, Raivo); publish a recovery-code process.

  • Admins & finance/HR: require security keys (+ a spare) and/or passkeys on managed devices. CISA

Authenticator app tips

  • Pick an app that supports encrypted backup/sync or export (QR/JSON), and train users to store backup codes safely.

  • For iOS, Raivo is lightweight; for cross-platform, Google Authenticator is familiar.

  • Don’t share one device across staff; personal device enrollment only (with policy).

Passkeys: when to use them

Passkeys use FIDO2/WebAuthn under the hood, binding login to the device and site—so phishing pages can’t replay them. They’re supported across major platforms and are ideal for staff who live in the Google/Microsoft ecosystem on managed devices. CISA

  • Google Workspace: you can enforce passkeys/security keys and even allow “skip password” sign-in with a passkey. Google Help

  • Microsoft Entra ID: use authentication strengths & Conditional Access for FIDO2 keys/passkeys on sensitive apps. Microsoft Learn

SSO: pros, cons, and how to do it safely

Pros

  • One identity to harden (MFA, Conditional Access, device trust).

  • Faster offboarding (disable at IdP, revoke everywhere).

  • Centralized logging & risk scoring.

Cons / risks

  • Blast radius: compromise of the IdP can open many doors.

  • Outages: if SSO or IdP drifts, downstream apps are impacted.

  • Licensing/complexity: advanced CA features may require higher tiers.

Mitigations

  • Multiple step-up MFA policies for sensitive apps (finance/HR/admin consoles).

  • Per-app session limits and re-auth on risky actions.

  • Break-glass accounts (2), excluded from CA but heavily monitored; 30+ char secrets stored offline.

  • Block legacy auth (IMAP/POP/old protocols).

  • Security defaults or Conditional Access baseline policies. Microsoft Learn+1

What to enforce (checklists you can copy)

Google Workspace (Admin Console)

  1. Enforce 2-Step Verification (2SV) for staff & above; set grace/exceptions only for students. Google Help

  2. Allow passkeys/security keys; consider “skip password” for staff on managed devices. Google Help

  3. Disable less secure apps/legacy protocols; restrict IMAP/POP to exceptions.

  4. Restrict OAuth app access; allowlist key vendors.

  5. Shorten tokens for high-risk apps; require re-auth on sensitive scopes.

  6. Export logs to SIEM (Audit & Admin logs).

Microsoft Entra ID (Azure AD)

  1. If you’re small, start with Security Defaults (requires MFA, blocks legacy). Microsoft Learn

  2. Graduate to Conditional Access:

    • All users → MFA (Auth strength: phishing-resistant for admins). Microsoft Learn

    • Block legacy auth globally.

    • Require compliant or hybrid-joined devices for staff apps.

    • High-risk sign-ins → block or require password reset.

    • Use Microsoft-managed CA templates as a starting point. Microsoft Learn

  3. Short session lifetimes for admin portals; step-up for financial/HR.

Account lifecycle & recovery planning

Onboarding

  • Enforce 2FA on day one (set a grace period only if necessary). Google Help

  • Issue 2 security keys to admins (primary + backup); register both.

  • Hand out recovery codes; store securely (Bitwarden Secure Note).

Offboarding

  • Disable at IdP (revokes SSO), revoke Bitwarden org access via SCIM, rotate any shared secrets the user accessed.

Break-glass & incidents

  • Maintain two emergency accounts in each IdP; store creds offline, monitor any use.

  • After suspected compromise: invalidate sessions, rotate the compromised secret(s), and force MFA re-registration as needed.

How often should we change passwords?

  • Staff/student accounts: If passwords are unique, long, and protected by MFA, do not force periodic changes. Change on evidence of compromise or role change. CoNetrix

  • Privileged/admin accounts: Same rule—no arbitrary cadence. But rotate shared secrets (service accounts, API keys), and require phishing-resistant MFA.

  • Legacy systems with policy constraints: If a vendor mandates rotation, keep it, but pair with passphrases and a password manager, not “Summer2025! → Fall2025!”.

Training staff (fast wins)

  • “3 things we’ll never ask by email” poster: your password, MFA codes, direct-deposit info.

  • “Verify before you click”: verify payments, gift card requests, HR changes via a second channel.

  • One password manager to rule them all: demonstrate creating a 20+ char password in 3 seconds.

  • Push fatigue: teach staff to deny unexpected prompts.

  • How to recover: every teacher gets recovery codes + the process for lost phones/keys.

Rollout plan you can steal

Week 1–2:

  • Turn on Security Defaults (Entra) or enforce 2SV (Workspace). Microsoft Learn+1

  • Issue Bitwarden org invites; require 2FA. Bitwarden

  • Publish the 1-page “MFA & Recovery” guide.

Week 3–4:

  • Target admins/finance/HR for FIDO2 keys/passkeys and step-up MFA on sensitive apps. Microsoft Learn

  • Block legacy protocols; audit OAuth apps.

  • Create two break-glass accounts; test the process.

Quarterly:

  • Review failed sign-ins, risky sign-ins, OAuth sprawl, and password breach matches (Bitwarden/Have I Been Pwned integrations or equivalent).

  • Table-top exercise: lost admin phone, compromised account, IdP outage.

Recommended gear (optional affiliate-friendly)

  • Security keys: YubiKey 5C NFC or equivalent (USB-C + NFC).

  • USB-C/NFC readers for desktops without NFC.

  • Label kit for tagging keys and recovery cards.

References / further reading

  • NIST SP 800-63B (password length/character guidance). NIST Pages

  • NIST on rotation: change with evidence of compromise; avoid periodic forced resets. CoNetrix

  • Phishing-resistant MFA & FIDO2/WebAuthn (CISA). CISA

  • Google Workspace 2-Step Verification & passkeys. Google Help+1

  • Microsoft Entra: Security Defaults & Conditional Access (auth strengths). Microsoft Learn+2Microsoft Learn+2

  • Bitwarden enterprise policies & SSO. Bitwarden+1

Cody Campbell
Next

Wiki