CYBER SECURITY: Everything there is to know about “2FA”

What is 2FA?

Sounds like a weird abbreviation, right? 2FA, or double-factor authentication, is a two-step verification technique that helps you protect your account by adding a second method of identification. This second method has to be of a different nature than the first, whether it is something you keep (such as a password or a secret question), something you have (such as a mobile number or a chip card) or something you are (such as a fingerprint or facial recognition).
In concrete terms, what does this change for a user on our platforms? In some situations, a user might be asked, in addition to their normal username and password, to submit a one-time passcode sent first via email and then via text message. This security method is highly recommended by the French National Information Science and Liberties Commission and the National Cybersecurity Agency of France.

Who should use 2FA?

We take special care to secure our most sensitive accounts. In the past three years, the main incidents that have occurred all started when an administrative account became compromised. These so-called “privileged” accounts have access to the Admin Console, a module that allows them to view and change users’ personal data, edit a school’s settings, and send out communications on a large scale. This is why we decided to add extra security measures to the Admin Console.

Looking back and forward 

Securing your accounts, while also providing a simple and easy-to-use experience, is one of our main points of focus. That is why we are taking an initial step towards 2FA by issuing a temporary email code in the next few months, with the goal being to collaborate with users and clients to determine the best way to roll out this feature in the long run. 

Once the email system has been firmly established, we will create a new system that sends out a temporary mobile phone code via text, which will function as a true second method of authentication.

A closer look at our security improvements between March 2022 and the start of the 2023 school year:

March 2022: Two stronger security systems 

• All users are notified when their passwords are reset
• Admins are alerted every time someone signs in from a new device.

January 2023: New requirements and restrictions for administrators

• Administrators are required to verify their emails when they sign in for the first time
• Editing an admin’s sensitive information is no longer possible. This feature prevents a would-be hacker from granting themselves more privileges.

February 2023: Start of email verification

• Activated every time someone signs into the Admin Console for the first time
• Activated whenever they edit their sensitive information (email, phone number, and password).
• No useless spam: Users only have to verify their identify once per session.

Based on this experience and user feedback, 2FA will be available through text message in early 2023 as part of an initial pilot project before being rolled out to all our projects for the start of the 2023 school year.

Important best practices to keep in mind!

Identity theft is often the result of bad practices and poor password management. Don’t forget—in the digital age, your password is worth its weight in gold! Using the same password over and over again or mnemonic techniques that are easy to predict makes you less secure. 

Here are a few tips from the French National Information Science and Liberties Commission about what makes a good password:

• It is long and complicated (i.e. 12 characters and four different types)
• It doesn’t say anything about you (i.e. it doesn’t include your birthday or favorite movie) 
• It is unique (i.e. the same password isn’t used to sign into multiple platforms)
• Remember it…without writing it down
• This last piece of advice is tough for people who struggle with memorizing information.

Our data protection specialist, David Breyton, suggests, “We know that remembering a dozen long and unique passwords for the websites you visit is no easy task. There’s now a number of different secure password managers that you can choose from. Personally, I use Truekey, which saves up to 15 passwords for free.”