Skip to main content
Ministry of Education New Zealand
On this page

What 2FA does

2FA adds an extra verification step to access an account or network.

2FA typically requires 2 of the following:

  • Something you know – your username and password or PIN.
  • Something you have – a security key or an authenticator app on your phone.
  • Something you are – your fingerprint, face, or voice.

Why 2FA is important

According to Microsoft and Google, using 2FA can prevent up to 99% of untargeted attacks from happening. It is a crucial measure to protect data and information at your school.

Schools and kura must meet the requirements of Privacy Principle 5 of the Privacy Act by keeping student and staff personal information secure.

You should still use a strong password and have good security practices when using your devices.

Privacy Act 2020 – New Zealand Legislation

Protect your information using passwords

Who should have and manage 2FA

If you are responsible for managing your school’s network, you can centrally manage all staff 2FA requirements, including any exemptions or conditions from the admin portal.

You should use 2FA on as many accounts as possible. We recommend having set up 2FA as follows:

  • mandatory for all administrator and financial accounts
  • encouraged for any accounts or systems that have personal information or access to financial information, or any critical school systems
  • encouraged for all users of your school's Google or Microsoft accounts, except students.

This should be set out in your school's cyber security policy.

Creating a password policy guidance

Options for using 2FA

Authenticator apps

This is the most common 2FA method. Using an app on your phone, you receive a 1-time code which you must enter within a set timeframe.

Passwordless authentication

Passwordless authentication uses something other than your password to log in, so that you don’t need a password anymore. Some examples are:

  • your fingerprint
  • facial recognition
  • clicking on a link sent to your email address.

This makes it faster and easier for staff to log in securely.

Common systems that use passwordless authentication include:

  • Microsoft Windows 10 or later, which may have Windows Hello to scan your face or fingerprint.
  • Google Smart Lock, which is available on some Android phones and Chromebook.

Security keys

A security key, such as a YubiKey, is one of the most secure ways to implement 2FA and can be an option for staff who don’t have a smartphone. Follow our instructions to set up security keys.

How to set up 2FA

We have guidance on setting up 2FA across your school.

Setting up 2FA in schools – information for IT leads and principals

Google

Google has guidance on setting up 2FA for Google Workspace and email.

Setting up 2FA in the admin portal – Google

Turn on 2FA verification for your Google and Gmail account – Google

Microsoft

Microsoft has default security settings that includes multifactor authentication and guidance on how to use 2FA for email.

How to turn on Microsoft Security Defaults – Microsoft

Introducing Microsoft Security Defaults – Microsoft

Turn on 2FA verification for your Microsoft and Outlook account – Microsoft

Conditional or context-aware 2FA

You can set access rules for your logins, such as only ask for 2FA every 2 weeks, or only when not on school grounds. This is called context-aware access.

Protect your business with Context-Aware Access – Google Workspace Admin Help

THIS PAGE IS FOR
  • Suppliers and providers