Rethinking Security in Schools: A Story of Passkeys, People, and Progress

I had the opportunity to present recently at the California IT in Education (CITE) annual conference. Presenting at CITE always energizes me, not just because I get to share our work, but because the questions from the audience spark new ideas that stay with me long after the session. This makes the significant investment in time preparing for the presentation worthwhile!

As the name suggests, this conference audience was quite technical in nature, so I chose the topic "Beyond Passwords: Lessons Learned from Implementing Passkeys and Certificates." The presentation described a couple of changes our school district has made over the past six months that have made things easier for our users as well as more secure- two goals that are often in conflict with each other, but not this time!

The industry shift

In 2022, a rare occurrence happened: Google, Microsoft, and Apple announced a coordinated effort to expand support for passwordless sign-in across devices and services. For those not in the tech field, it's worth paying attention when the major players agree on a standard implementation (unlike calendaring, messaging, file sharing, app stores, etc.). I started learning more about passkeys and got excited to imagine a world in which I didn't need to remember login passwords anymore. This led me down the path to exploring how we could make this happen within our school district. The inner geek in me saw the elegance; the administrator in me saw the potential.

Our local shift

Our district changed identity providers in 2024, and our new provider didn't yet have passkey support. With some insider assistance, I was able to get this feature on the roadmap and ultimately implemented in August 2025. This set the technical foundation for making the passkey implementation possible.

Also in 2024, California passed Assembly Bill 3216, the Phone-Free School Act, which requires every school district to adopt a policy limiting or prohibiting the use of smartphones by July 1, 2026. While not specifically targeted at eliminating use of cell phone use by employees, it seems that if we ask students to put away their cell phones during the day, the adults in the system should be able to model the same behavior. This presents issues with current multi-factor authentication mechanisms that require either an SMS message or an app-based code from an authenticator app on a cell phone.

Like many districts, ours has also seen an increase in the number and sophistication of credential harvesting phishing attacks where emails try to solicit users to enter their credentials into a fake login page, and then use those credentials to login and access information from the compromised account. These attacks have gotten so good that they are able to trick users into also entering their 6-digit multi-factor authentication code from an app or SMS message.

Two birds, one stone

It's always great when a solution can solve multiple issues at once. In this case we solved three:

• Provide an easier way to login (without a cell phone)
• Significantly reduce the risk of accounts being compromised by phishing emails
• Improve the information security posture of of organizational identities

We are still in the process of rolling out passkeys to all staff users, as we decided to go slowly with a personal touch where possible. There are many nuances with different devices and operating systems, so we decided to take the "Unreasonable Hospitality" approach and convert users in-person where possible.

Passkeys don't eliminate the number of received phishing emails and fake login forms, but they eliminate the risk. Once the passkey is setup, the user account password is scrambled and is unknown to the user. So, even if a user enters something into a fake form, the credential is invalid if an attacker tries to use it.

Passkeys are not 100% bullet-proof, but since they are tied to a specific website and a trusted device, the degree of complexity needed to compromise an account is extremely high. A simple phishing email and fake login form will not work.

Making the complex simple

OK, maybe simple is the wrong word here, but the idea of using technology to solve organizational issues is what's important. Passkeys may be cool to my inner-geek self, but that's not the ultimate benefit to the organization. The ultimate benefit is creating systems and processes that fade into the background so teachers and students can spend more time on what truly matters: teaching, learning, and human connection.