Skip to main content

MFA Best Practices

Multi-Factor Authentication significantly improves security for Manage1to1 administrator accounts. This guide provides recommendations for system administrators rolling out MFA and best practices for ongoing management.

For System Administrators

Planning Your MFA Rollout

A successful MFA deployment requires planning, communication, and support. Follow this phased approach for smooth adoption.

Phase 1: Preparation (Week 1-2)

Enable MFA as Optional

  1. Navigate to System SettingsGeneral tab
  2. Enable Admin Multi-Factor Authentication
  3. Leave Require MFA for All Admins disabled (for now)
  4. Save changes

Communicate with Administrators

  • Send email announcement explaining MFA and why it's being implemented
  • Include link to MFA Setup Guide
  • Set expectations for timeline ("optional now, required in 30 days")
  • Highlight benefits: protects district data, prevents account compromise

Prepare Support Resources

  • Designate IT staff to help with MFA questions
  • Test MFA enrollment yourself first
  • Create internal FAQ based on your district's specific setup
  • Ensure super administrators know how to reset MFA for locked-out users

Phase 2: Voluntary Enrollment (Week 3-6)

Encourage Adoption

  • Email reminders every week highlighting enrollment progress
  • Recognize early adopters in staff meetings
  • Offer hands-on enrollment help sessions (in-person or virtual)
  • Track enrollment rate via administrator list

Provide Support

  • Monitor for common questions/issues
  • Update internal documentation based on real feedback
  • Help administrators troubleshoot authenticator app problems
  • Remind staff to save backup codes

Target: 70-80% voluntary enrollment before moving to enforcement

Phase 3: Enforcement (Week 7+)

Final Warning

  • Email notification 1 week before enforcement: "MFA becomes mandatory on [date]"
  • Remind unenrolled administrators to set up MFA now
  • Offer final support sessions

Enable Enforcement

  1. Navigate to System SettingsGeneral tab
  2. Enable Require MFA for All Admins
  3. Save changes

What Happens:

  • Unenrolled administrators are prompted to set up MFA immediately after login
  • Administrators cannot bypass or postpone enrollment
  • "Disable MFA" option disappears from administrator profiles

Post-Enforcement Support

  • Monitor for help requests in first few days
  • Be available for emergency MFA resets (lost phones, etc.)
  • Collect feedback for process improvements

MFA Management Best Practices

For System Administrators

Monitor MFA Adoption

Track Enrollment Status

  • Regular review of which administrators have MFA enabled
  • Follow up with unenrolled admins if MFA is not yet enforced
  • Verify new administrators enroll shortly after account creation

Use Activity Log

  • Monitor for unusual MFA events (multiple failed attempts, frequent resets)
  • Watch for patterns that might indicate compromised credentials
  • Track when administrators use backup codes (may indicate lost phones)

Handle MFA Resets Carefully

When an Administrator Needs MFA Reset:

  1. Verify Identity First

    • Confirm you're speaking with the actual administrator
    • Don't reset based solely on email request
    • Use phone call, in-person verification, or other secondary confirmation

  2. Understand Why Reset is Needed

    • Lost/broken phone (legitimate)
    • Frequent lockouts (may need training)
    • "Too inconvenient" (educational opportunity)

  3. Perform Reset

    • Currently: Requires manual database intervention (future versions may include admin panel)
    • Immediately notify administrator that reset is complete
    • Require re-enrollment within 24 hours

  4. Document the Reset

    • Note why reset was requested
    • Track frequency per administrator
    • Multiple resets may indicate user needs additional support
Emergency Access

Never share super administrator credentials with non-super admins "just in case" they get locked out. Maintain proper MFA reset procedures instead.

Plan for Extended Leave

When administrators go on extended leave (sabbatical, FMLA, etc.):

Option 1: Temporary MFA Disable (Not Recommended)

  • Disable MFA for their account while away
  • Re-enable when they return
  • Risk: Account vulnerable during leave period

Option 2: Maintain MFA (Recommended)

  • Administrator keeps MFA active
  • Saves backup codes before leaving
  • Can access if emergency requires it
  • Account stays secure

Option 3: Account Deactivation (Best for Long Leaves)

  • Temporarily deactivate administrator account
  • Transfer critical responsibilities to others
  • Reactivate upon return, MFA remains intact

For Individual Administrators

Protect Your Backup Codes

Storage Recommendations (Priority Order)

  1. Password Manager (Best)

    • Encrypted, accessible anywhere
    • Synced across devices
    • Examples: 1Password, Bitwarden, Dashlane

  2. Encrypted Cloud Storage

    • Store in locked/encrypted document
    • Google Drive, OneDrive, Dropbox (in private folder)
    • Enable 2FA on your cloud storage too!

  3. Physical Secure Storage

    • Written on paper, stored in locked drawer/safe
    • Home safe, locked filing cabinet, safety deposit box
    • Keep away from your desk

Never Store Backup Codes:

  • ❌ In plain text file on desktop
  • ❌ In unencrypted email to yourself
  • ❌ On sticky note at your desk
  • ❌ Only on your phone (what if you lose it?)
  • ❌ Shared with coworkers or family

Use Strong Device Security

Your authenticator app is only as secure as your phone:

Phone Security Checklist:

  • ✅ Enable device lock (PIN, password, biometric)
  • ✅ Keep phone OS updated
  • ✅ Don't jailbreak/root your phone
  • ✅ Enable auto-lock after short idle period
  • ✅ Enable "Find My Phone" features
  • ✅ Use strong unlock method (avoid simple PINs like 1234)

If Phone is Lost or Stolen:

  1. Use remote wipe if possible
  2. Use backup code to access Manage1to1
  3. Immediately disable MFA and re-enroll with new device
  4. Inform your IT department

Choose a Reliable Authenticator App

Recommended Apps:

Google Authenticator

  • ✅ Simple, reliable
  • ✅ Works offline
  • ✅ Cloud backup (optional, on Android)
  • ❌ Limited transfer options (iOS)

Microsoft Authenticator

  • ✅ Cloud backup for easy transfers
  • ✅ Biometric unlock
  • ✅ Works offline
  • ✅ Good for Microsoft-heavy environments

Authy

  • ✅ Multi-device sync
  • ✅ Cloud backup with encryption
  • ✅ Desktop apps available
  • ✅ Best for users with multiple devices

1Password / Bitwarden

  • ✅ Integrated with password manager
  • ✅ Everything in one secure app
  • ❌ Requires paid subscription (1Password)

What to Avoid:

  • ❌ Unknown/untrusted apps
  • ❌ Apps with excessive permissions
  • ❌ Apps that haven't been updated in years

Maintain Backup Code Hygiene

Regular Maintenance:

  1. Regenerate Codes Annually

    • Refresh codes once per year
    • Mark calendar reminder
    • Ensures codes haven't been compromised

  2. After Using a Code

    • Cross it off your list immediately
    • When down to 3-5 codes, regenerate full set
    • Don't wait until you're out of codes

  3. After Phone Transfer

    • Consider regenerating for fresh start
    • Ensures old phone's codes are invalidated

  4. After Security Event

    • If you suspect code compromise, regenerate
    • If phone was briefly accessed by others, regenerate
    • Better safe than sorry

Security Considerations

What MFA Protects Against

Prevents:

  • ✅ Password guessing attacks
  • ✅ Phishing (attacker has password but not your phone)
  • ✅ Credential stuffing (leaked passwords from other sites)
  • ✅ Keyloggers (they capture password but not TOTP code)
  • ✅ Unauthorized access from compromised password

Does Not Prevent:

  • ❌ Session hijacking (if already logged in)
  • ❌ Malware on your computer
  • ❌ Social engineering attacks
  • ❌ Physical access to unlocked device

MFA is one layer. Combine with strong passwords, updated software, and security awareness.

Understanding TOTP Security

How TOTP Works:

  • Uses shared secret between server and your app
  • Combines secret with current time
  • Generates unique 6-digit code every 30 seconds
  • No internet required (works offline)

Why It's Secure:

  • Secret never transmitted during login
  • Codes expire quickly (30 seconds)
  • Can't be reused (time-based)
  • Brute force is impractical (codes change faster than guessing)

Security Window:

  • Manage1to1 accepts current code + 1 period before/after (90 seconds total)
  • Accounts for minor clock drift between phone and server
  • Prevents frustration from exact timing requirements

Compliance Benefits

MFA helps meet various compliance requirements:

FERPA (Family Educational Rights and Privacy Act)

  • Protects student data from unauthorized access
  • Demonstrates "reasonable security measures"

State Data Privacy Laws

  • Many states require MFA for systems containing PII
  • Reduces liability in case of breach

Insurance Requirements

  • Cyber insurance policies increasingly require MFA
  • May affect coverage if breach occurs without MFA

District Security Policies

  • Aligns with modern security best practices
  • Shows due diligence in protecting sensitive data

Troubleshooting Common Issues

Administrators Resist MFA

Common Objections:

"It's too inconvenient"

  • Reality: Adds 5 seconds to login
  • Response: Emphasize security benefit outweighs minor inconvenience
  • Compromise: Offer to help with initial setup

"I'll lose my phone"

  • Reality: Backup codes exist for this exact reason
  • Response: Explain backup code system
  • Action: Help them store codes securely

"I don't have a smartphone"

  • Reality: Most administrators have smartphones today
  • Workaround: Can use tablet with authenticator app
  • Last resort: Contact Manage1to1 about hardware token options

"I log in too many times per day"

  • Reality: Sessions last hours before requiring re-auth
  • Response: Explain session duration
  • Note: Desktop authenticator apps available (Authy)

High Volume of MFA Resets

If many administrators need frequent resets:

Possible Causes:

  • Poor backup code storage habits
  • Lack of training on phone transfers
  • Not understanding how to use backup codes

Solutions:

  • Additional training sessions
  • Simplified backup code guide specific to your district
  • One-on-one help for struggling users
  • Review enrollment instructions for clarity gaps

MFA Lockouts During Off-Hours

Scenario: Administrator needs access urgently but is locked out

Prevention:

  • Require all administrators to store backup codes securely
  • Provide clear "lost phone" instructions in advance
  • Ensure multiple super administrators available

Response Plan:

  1. Administrator uses backup code for immediate access
  2. Administrator disables MFA and re-enrolls with new device
  3. If no backup codes: Wait for super admin availability (next business day)
  4. For true emergencies: Establish out-of-hours super admin contact

Advanced Topics

Role-Based MFA Requirements

While current implementation is all-or-nothing enforcement, consider these approaches:

High-Risk Roles (Require MFA):

  • Super Administrators
  • Billing/Finance administrators
  • Administrators with student data access
  • IT staff with configuration permissions

Lower-Risk Roles (Optional MFA):

  • Read-only reporting accounts
  • Limited help desk staff
  • Building-level administrators with restricted permissions

Future Enhancement: This functionality isn't built yet, but you can achieve similar effect by:

  • Communicating role-based expectations
  • Monitoring enrollment by role
  • Selectively following up with high-risk roles first

IP-Based Access Policies

Combine MFA with IP restrictions for maximum security:

  1. Require MFA for all logins
  2. Restrict administrative access to district IP ranges
  3. Allow off-site access only with MFA + VPN

This "defense in depth" approach layers multiple security controls.

Session Management

Current Behavior:

  • Sessions persist for several hours after login
  • MFA verification required only at initial login
  • Session automatically expires after inactivity

Best Practices:

  • Log out when leaving workstation unattended
  • Lock computer if stepping away briefly
  • Don't save passwords in browser autofill
  • Close browser after working with sensitive data

Measuring Success

Track these metrics to evaluate MFA effectiveness:

Adoption Metrics:

  • Percentage of administrators enrolled in MFA
  • Time from account creation to MFA enrollment (for new admins)
  • Voluntary vs. enforced enrollment split

Support Metrics:

  • Number of MFA-related help requests
  • Common problems identified
  • Time to resolve MFA issues

Security Metrics:

  • Failed MFA login attempts
  • Backup code usage frequency
  • MFA resets requested
  • Accounts flagged for unusual MFA activity

Success Indicators:

  • High enrollment rate (>95%)
  • Low support request volume after initial rollout
  • Few MFA resets needed
  • Positive administrator feedback

Resources and References

Official Documentation:

Authenticator Apps:

Further Reading:

Conclusion

Multi-Factor Authentication is one of the most effective security controls available. While it requires upfront effort to implement and ongoing support, the protection it provides for sensitive student and staff data is invaluable.

By following these best practices, your district can:

  • Reduce risk of unauthorized access
  • Meet compliance requirements
  • Build security-conscious culture
  • Protect reputation and maintain trust
Last updated on