THREAT Detected | When SSO and MFA Aren't Enough: Hidden Credential Risk in K-12

Every alert tells a story. THREAT Detected is a blog series that captures the experiences and advice of cybersecurity professionals working in K–12 schools and districts. Whether stemming from a phishing attempt or a full-blown ransomware attack, our contributors offer hard-won wisdom on how to defend school communities from emerging cybersecurity threats.

══════════ ✦ ✦ ✦ ══════════

When SSO and MFA Aren't Enough: Hidden Credential Risk in K-12

You've done the right thing. You’ve implemented Single Sign-On (SSO) and mandated Multi-Factor Authentication (MFA) across your school district staff accounts. You're feeling confident in your security posture. But what about the dozens, or even hundreds, of other applications your staff uses every day that aren't tied to your central SSO? This is the soft underbelly of your security strategy, and it's more vulnerable than you think.

A Real-World Warning: The SchoolDude Breach

Let's talk about a concrete example: the SchoolDude data breach. For those who aren't familiar, SchoolDude (part of Brightly) was a widely used platform for managing school facilities and IT. The platform suffered a significant breach in 2023 where, according to reports, all user credentials were stolen as clear text passwords.

The fallout was immediate and alarming. Within 72 hours, we saw those exact usernames and passwords from the SchoolDude breach appear for sale on the dark web. The price? A mere $6 per credential. For the cost of a cup of coffee, a malicious actor could gain access to a trusted school employee's account.

The Human Element: Predictable Password Reuse

Here’s where the real danger lies. It is human nature to reuse passwords. If a teacher has a password for your district's official SSO-protected system, what are the odds that they use that exact same password for their SchoolDude account, their online textbook portal, or that niche classroom management app the district hasn't fully onboarded yet?

The odds are high. When a service like SchoolDude is compromised, you have to assume that the stolen password isn't just for that one application. It’s likely the key to all of that user’s other non-SSO accounts. The breach of one becomes a potential breach of many.

Your Call to Action: A Four-Point Defense

Relying on SSO and MFA alone is not enough when your application ecosystem is fragmented. Here are four critical steps every school district should implement immediately to mitigate this risk:

1. Enforce Annual Password Rotation, Even with MFA. While it may seem redundant in an MFA world, regular password rotation is a crucial layer of defense. It limits the window of opportunity for a malicious actor to use a stolen credential that you may not even know has been compromised. It’s a simple, effective piece of security hygiene.

2. Actively Disable Expired Accounts. Forcing password expiration is useless if you don't follow through. What happens when a user is out on extended medical leave or you forget to de-provision an old account? That account, still using the old stolen password, becomes a permanent, unguarded backdoor.  The attacker can use the old password, and when prompted to change the password - make it something only THEY know. You must have a process to actively disable any non-SSO account that fails to change its password within a few weeks of expiration.

3. Maintain a Written List of ALL Non-SSO Applications. You cannot protect what you do not know about. Create and maintain a comprehensive inventory of every online service and application used by large numbers of your staff that is not integrated with your SSO. This is your roadmap for incident response.

4. Force Password Resets Across the Board When Breaches Occur. When a major compromise like the SchoolDude breach happens, your documented list of non-SSO applications becomes invaluable. Your immediate response should be to force a password change not just on affected SSO accounts and the compromised service, but on all other non-SSO services on your list. This proactively neutralizes the threat of password reuse before it can be exploited.

The reality is that K-12 digital environments are complex. While SSO and MFA are powerful tools, they don't cover the entire landscape of tools and applications used in most school systems. By acknowledging the risks of non-SSO applications and taking a few proactive steps, you can build a more resilient and comprehensive security posture for your district.  It’s also a good reason to make SSO integration part of any new software purchase.

══════════ ✦ ✦ ✦ ══════════

Contributed by April Mardock, Chief Information Security Officer, Washington Schools Information Processing Cooperative