MFA Still Non‑Negotiable

CIS and MS‑ISAC analyzed more than 5,000 K‑12 organizations and reported that 82% of reporting districts experienced cyber threat impacts and the dataset included roughly 14,000 security events between July 2023 and December 2024. (cisecurity.org) Microsoft research on Azure Active Directory telemetry found that over 99.99% of accounts protected by MFA remained secure during the study period and that dedicated authenticator apps outperformed SMS-based factors. (cdn-dynmedia-1.microsoft.com) REN‑ISAC and sector alerts have documented an uptick in reverse‑proxy phishing (Evilginx‑style) campaigns that capture session tokens and can bypass some MFA deployments, with incidents reported across education and research organizations. (ren-isac.net) Practical K‑12 guidance published in EdTech Magazine recommends phased rollouts, role‑based enforcement (start with admin and operational accounts), and lightweight user experience options to reduce help‑desk load during districtwide MFA adoption. (edtechmagazine.com) Microsoft’s education guidance and product notes describe passwordless and on‑device MFA options that work without smartphones for students and staff, citing methods designed to lower enrollment friction in schools. (microsoft.com) The FBI’s IC3 reported more than $16 billion in reported losses in its most recent annual internet‑crime report, a figure federal advisories cite when urging baseline protections such as MFA and credential hygiene for K‑12 systems. (fbi.gov)