Empowering secure and seamless learning: Multifactor authentication without a smartphone

A male pre-teen student standing at the bottom of a staircase at school and working on a laptop. There are three other students hanging out on the stairs behind him.
Microsoft offers multifactor authentication (MFA) without a smartphone using secure, passwordless device access.

As we look ahead to the upcoming school year in many places across the northern hemisphere, educational institutions face a daunting security landscape. The education sector regularly makes up over 80% of the reported malware encounters in any 30-day period. Traditional passwords are increasingly vulnerable, leading to potential security breaches. The average student often neglects best practices for password security, frequently opting for simple and easily guessable passwords. Fortunately, there’s a promising development—Microsoft offers multifactor authentication (MFA) without a smartphone using secure, passwordless device access.

Decorative. An infographic shows the industries that are most affected by malware encounters in the last 30 days. The Education industry accounts for 80.48%.
More than 80% of malware encounters reported within a 30-day period consistently come from the education sector.

Poor security practices can lead to significant consequences, from identity theft and unauthorized access to students’ personal and academic information, to severe breaches across education networks and systems. While schools have focused on encouraging a more proactive access control approach—such as creating stronger unique passwords—success ultimately depends on the students. Protect your school’s devices and data with Microsoft’s industry-leading cybersecurity solutions that bring the digital security needs of your students, teachers, and school districts to the forefront.

MFA without a smartphone: a convenient and secure option

Traditional MFA processes are unrealistic for students, as institutions from primary schools to universities cannot expect every student to have a phone or device to deploy legacy MFA options. Additionally, using personal devices for authentication comes with even more privacy and security concerns for educational institutions. However, studies have shown that an account is more than 99.9% less likely to be compromised if using MFA. So, what can schools do?

Luckily, hope is on the horizon—Microsoft has pioneered a passwordless approach using MFA without a smartphone that ensures students can easily access their learning environments securely. With no phone required for authentication, this is the first passwordless MFA solution from an industry-leading security and education solution provider for primary and secondary (K-12), and higher education students. Without having to rely on a homegrown or third-party identity provider (IdP), credentials can be set and distributed to students that may not have a phone to complete the setup. Additionally, this passwordless approach helps schools meet stringent cyber insurance requirements and qualify for a variety of government funding opportunities and cyber grant programs around the world, such as the recently announced $200 million FCC Cybersecurity Pilot Program for schools in the US.

By replacing passwords with your choice of convenient and secure options for passwordless authentication, you can transform the security of your entry points with best-in-class technology and increase your IT team’s productivity.

Why use MFA to go passwordless?

Passwords are often the weakest link in security protocols and can be easily guessed, stolen, or forgotten. As we grow more predictable in our password generation and choices, our vulnerability increases. According to a recent study by the National Institute of Standards and Technology (NIST), more than 68% of primary school students and 81% of middle school and high school students reuse the same password across multiple accounts, making them vulnerable to identity theft and attacks. Even strong passwords are vulnerable because they are often reused across multiple sites—there have been a number of high-profile data breaches exposing millions of user passwords, and just one recycled password can give hackers the ability to conduct attacks across websites.

Decorative. A graphic with the NIST logo and a statistic that says, “According to a recent study by the National Institute of Standards and Technology, more than 68% of primary school students and 81% of middle school and high school students reuse the same password across multiple accounts, making them vulnerable to identity theft and attacks.
Passwords are frequently the most vulnerable point in security systems and are susceptible to being guessed, compromised, or misplaced.

Learn 5 tips for enhancing school cybersecurity

Read the blog

Unfortunately, students in particular may be more likely to use weak passwords or reuse passwords as they’re less aware of or concerned about security best practices. While traditional MFA does add an additional layer of protection, it’s still reliant on the use of a password and a second device.

Passwordless authentication helps minimize the threat of password theft while enabling easy sign-in security that achieves leading industry standards—all while providing a smooth and efficient experience for students, faculty, and IT. Passwordless authentication also doesn’t require a phone for use (FIDO2-compliant security keys can be used instead of apps, SMS, or voice calls) yet still leverages advanced technologies like biometrics and PINs, which are more secure, user-friendly, and popular based on feedback from end users.

Decorative. The Windows lock screen showing the fingerprint, PIN, and password credential providers.
Passwordless authentication with Microsoft provides secure and easy sign-in for students, faculty, and IT.

Passwordless authentication with Microsoft adds multiple layers of safety for student data. For example, if biometrics are used as part of the Windows Hello face authentication system, the biometric data never leaves the device—the data is hashed and stored locally instead of on the cloud. Also, if using a PIN with Windows Hello, the PIN is tied to the specific device on which it is set up—so if a malicious actor obtains the PIN, they can’t use it to access the account from another device.

How to implement passwordless MFA

There are three main steps to planning, implementing, and managing passwordless MFA for students.

The first step is distributing Temporary Access Passes (TAP) which are often generated when passwords are provided to students for the first time or when students receive new devices. By using authentication methods in Microsoft Entra ID, you can control what MFA methods students are prompted to set up and use.

Decorative. An infographic shows three high-level steps in the Temporary Access Pass process: Admin creates TAP, Student uses TAP to create passwordless credential, Student uses passwordless.
After generating and distributing TAP to students, they can create a passwordless credential to use with their devices.

The second step is configuring devices. Depending on the device and system, passwordless sign-in methods can be configured for each operating system to meet your requirements:

  • For Microsoft Intune-managed devices, there are two methods for configuring Windows Hello for Business: tenant-wide Windows Hello for Business policies or targeted policies. For more information, see Configure Windows Hello for Business.
  • To use passwordless credentials on macOS, you can set up Platform SSO with secure enclave. For more information about setting up Platform SSO with Intune, see Configure Platform SSO for macOS devices.

Manage technology and maximize security

Explore Microsoft 365 Education

Each operating system has a different implementation for device-bound passwordless credentials. For more detailed information on hardware requirements and bioinformatic information needed, see the Microsoft 365 Education documentation Passwordless for Students.

If you’re requiring students to use Microsoft Entra ID for authentication, configuring Conditional Access can ensure that only trusted individuals—in this case, students—can access managed devices with passwordless credentials. A Conditional Access policy can be configured with specific settings for Name, Target, and Grant. For more information, see Overview of Microsoft Entra authentication strength.

The third and final step is to maintain vigilance and quickly address any compromised devices. While passwordless credentials are unaffected by password changes, resets, or policies, if a device is compromised or stolen, there are a few options to resolve the incident. Some common actions include triggering a remote wipe of the compromised device, deleting the associated passwordless credential from the comprised device, and removing the authentication method associated with a user account.

Join the passwordless MFA movement

Transitioning to passwordless MFA without a smartphone is a significant step toward securing student data and enhancing the overall educational experience. By leveraging Microsoft’s robust tools and resources, educational institutions can create a safer, more efficient learning environment.