Add Two Factor Auth (2FA) options
This enhancement would significantly increase the level of security for our Skyward Finance system by adding another level of security which would require something the user has ( not just userid and password ) before they would be allowed to logon. Based on the current types of attacks against systems and seeing that Skyward runs our payroll account payable and has all the information about employees (including SSN) adding 2FA would significantly reduce the risk of access from the outside because of a stolen password/user id.
To give maximum flexibility this should be a security level added to the user. For example we might only turn this on for payroll but not for all staff. Then based on the fact that they are a member of this group a simple SAML request could be made from Skyward for a 2FA. This would allow the District to use any number SAML based 2FA systems to provide the service without having to build this directly into skyward and District could then use DUO Google or any other number of other 2FA systems which support SAML.
Craig Larsen
shared this idea
Skyward is releasing a native Multi-Factor Authentication (MFA) option for users that use Skyward credentials to log in. This will be available in Addendum 09, available on May 23rd, 2024.
Single Sign-On Configuration has been relabeled to Authentication Configuration in the following system locations:
- Product Setup > Skyward Contact Access > District Setup > Configuration
- Product Setup > Skyward Contact Access > Security > Product Setup > Configuration
- Product Setup > Skyward Contact Access > Security > Security Groups > Web Product Setup
A “Require MFA” option and associated column has been added to the following system locations:
- Product Setup > Skyward Contact Access > Security > Users > Employee Access
- Product Setup > Skyward Contact Access > Security > Users > Secured
- Web Student Management > Families > Family Access > Users
- Web Student Management > Students > Student Access > Users
Users required to use native MFA will be prompted to set up MFA upon login. Users who have MFA enabled will need to re-authenticate per “Days to Expiration” settings. Logging out and signing back in within the trusted time period will not require the user to re-authenticate. However, if enough time has passed for trust to expire or the user removes their trusted device using the “Remove Device” button, they will be prompted to re-authenticate.
We will be rolling out these changes in 3 phases so keep an eye out for more updates through email!
Thank you,
Erik O.
-
Lora Holman
commented
We need to use two factor authentication for all staff logins to Skyward. This includes the mobile app, which currently does not have this functionality. Please consider programming the ability to use a third party (Google, Classlink, etc) to authenticate and add the MFA level to the mobile app. (We have just implemented SkySTS to allow for us to authenticate via Classlink and DUO to provide MFA for the web version. But this doesn't work for the mobile app.)
-
David Conner
commented
This is going to be a requirement to secure our SKYWARD accounts. This is a security standard into days technology.
-
Tim Harper
commented
We are very interested in MFA for the same reasons mentioned in the original idea. We are close to having this feature promoted on our ERP system and need the same on our SIS.
-
J. Anderson
commented
Also please add support for hardware-based Security keys such as YubiKeys and Google Titan Security Keys
-
Brian Tobin
commented
Student data privacy is a big concern of our. It has been elevated internally as we continue to provide best efforts in protecting student data privacy. Please add this option to the current web based skyward sooner than later. Based on current design and requirements I do not anticipate being able to move finance or the student system to Qmltiv in the near future. Thank you.
-
BENJAMIN BAYLE
commented
This enhancement would significantly increase the level of security for our Skyward Student system by adding another level of security which would require something the user has ( not just userid and password ) before they would be allowed to logon. Based on the current types of attacks against systems and seeing that Skyward runs our student records and has all the Personal Identifiable Information about our student body adding 2FA would significantly reduce the risk of access from the outside because of a stolen password/user id. This is a need to remain FERPA compliant as well.
To give maximum flexibility this should be a security level added to the user. For example we might only turn this on for Leadership and Cabinet members. Based on the security group a simple SAML request could be made from Skyward for a 2FA. This would allow the District to use any number SAML based 2FA systems to provide the service without having to build this directly into skyward and District could then use DUO Google or any other number of other 2FA systems which support SAML.
-
Brian Tobin
commented
We are in dire need of this on both the student and finance side. Due to restrictions I don't anticipate being able to move to Qmltiv for quite some time.
-
BENJAMIN BAYLE
commented
This is a basic need to protect Financial and Student Data.
-
Jeff Fisher
commented
This is needed for system-wide users. This may not get many votes since very few people understand the topic. This is a critical need for all payment systems. Changes in banking ACH files could bankrupt a district.