Cybersecurity Resources

As cyberthreats continue to evolve, schools need trusted tools, guidance, and best practices to safeguard their systems and communities. Here, you’ll find resources that will help you strengthen defenses and build a culture of cybersecurity awareness.

MFA + SSO FAQs: Secure Sign-In, Simple Steps

Protecting student data is a team sport. When districts use SSO + MFA, it’s faster for staff and safer for everyone—because each person who turns it on makes the whole community harder to breach.

Here you’ll find WSIPC resources built for schools: quick start guides, rollout checklists, and answers to common questions so your MFA implementation is simple and low friction.

Need support? cybersecurity@wsipc.org

What is MFA—and why does it matter for our district?

Multi-factor authentication (MFA) adds a quick, second check (like a code or tap) after your password. That extra step blocks the vast majority of account-takeover attempts—independent data from Microsoft and Google shows MFA blocks almost all bot attacks and dramatically reduces phishing risk—especially with authenticator apps or hardware tokens. When more staff use MFA, it becomes much harder for attackers to move between systems or reuse stolen passwords, so everyone benefits (students, staff, and the wider K-12 community).

What is SSO—and how does it work with MFA?

Single sign-on (SSO) lets you use one secure login to access many systems. Pairing SSO + MFA gives staff fewer passwords to manage and a consistent, low-friction prompt when needed. Qmlativ supports SAML-based SSO (e.g., Microsoft Entra ID/Azure AD or Google Workspace), and you can enforce MFA at the identity provider.

What MFA options are supported today in Skyward SMS 2.0 and Qmlativ*?

Time-based One-time Password (TOTP) Authenticator apps like Microsoft/Google Authenticator, Authy, LastPass Authenticator, etc.
SSO with MFA enforced at your identity provider (Microsoft Entra ID or Google Workspace).
Email “callback” is currently available in Qmlativ (see retirement timeline below).

*Hardware tokens are on the roadmap for Qmlativ (see timeline below).

Is MFA required?

Qmlativ: WSIPC-mandated MFA begins in the 2025–26 school year. The vendor also plans to require MFA starting 2026–27.
SMS 2.0: MFA is now being mandated by Skyward in a phased rollout for users who are not on a Single Sign-On (SSO) system.

Phase 2 (Effective September 12, 2024): Mandatory for all system-wide web users.
Phase 3 (Effective November 21, 2024): Mandatory for all web users of the Business FIN/HR modules.
This requirement does not apply to districts using SSO, nor does it affect Guardian, Student, or standard Employee accounts.

Will this slow people down?

Not really. Initial setup is a quick, one-time process. After that, users may see a brief prompt when risk is higher (new device, location change, sensitive action). Most people find SSO + MFA actually reduces friction compared to juggling multiple passwords.

What if a staff member doesn’t have or can’t use a smartphone?

Two options:

SSO + MFA using your identity provider’s supported methods (including approved non-phone methods), and
Hardware tokens (see rollout timing below) for staff who need a phone-free experience.

What happens if someone loses or replaces their device?

District IT (or your regional support team) can help reset MFA and re-enroll the user. Admin tools and audit logs in SMS 2.0 and Qmlativ support secure resets and tracking.

Does using MFA on a personal device open it up to public records disclosure?

No. Using an authenticator app on your personal phone for MFA does not, by itself, make your phone's contents subject to a public records request. The security logs for MFA are stored in the cloud, not on your device.

It's important to distinguish MFA from using a personal device for other work-related communications, such as sending text messages. Under Washington's Public Records Act, communications about district business may be considered public records, regardless of the device used. However, using the MFA application does not fall into this category. Even in cases where officials’ text messages are requested, the common practice is for the user to provide copies of the relevant messages rather than turning over the entire device.

Can we bypass MFA temporarily for troubleshooting?

Yes. Admins can temporarily remove the requirement for a specific user or security group, then re-enable it. Use sparingly and log it.

What will the self-certification for SSO + MFA require?

A short email from the district IT director (or the ESD that provides SSO) confirming:

The district uses SSO with MFA enforced for all staff logins to Qmlativ (and SMS 2.0 if applicable).
The SSO provider (e.g., Microsoft Entra ID/Azure AD or Google Workspace).
The point of contact (name, title, email, phone) for verification or follow-up.

Send to: cybersecurity@wsipc.org (cc your ESD support contact).

Do we have any updates on the rollout of a hardware token option?

Skyward/Qmlativ is planning to begin token availability starting in January 2026 (initial phases/pilots may be staged). We’ll share details as we get closer.

When will the email option for MFA be removed in Qmlativ?

Email-based MFA will remain until hardware tokens are fully available as an alternative. We do not expect to remove the email option before September 2026, and we’ll provide advance notice before any change.

Why retire email MFA at all?

National guidance treats email and some out-of-band methods as weaker because they don’t strongly prove possession of a specific device. Moving to app-based or hardware-based MFA is safer for schools.

Quick Start

Choose your path: SSO + MFA (recommended) or native Qmlativ/SMS MFA with an authenticator app.
Enroll: Follow the prompt at sign-in (scan QR in an authenticator app or complete your SSO registration).
Backups: Add a second method (e.g., backup app code or token when available) to avoid lockouts.
Support: Your ESD/WSIPC teams can assist with setup, resets, and reporting.

Email Us

Call Us

Public Requests