PowerSchool SIS supports Multi-Factor Authentication (MFA) using a Time-Based One-Time Password (TOTP) for Administrators and Teachers when PowerSchool SIS is the Identity Provider (IdP) or when LDAP is in use on PowerSchool SIS versions 25.12.0.0 and higher.
-
Administrators and teachers can enroll in MFA from the Manage Profile page, which is accessed by selecting the User Profile icon (containing your initials) in the header. By default, MFA enrollment is optional. However, a district administrator can enable the MFA Redirect on Login policy on the System Security Settings page, which automatically redirects unenrolled users to the MFA setup screen upon login. When the MFA Redirect on Login policy is enabled, a non-dismissible dialog prompts the user to complete MFA enrollment before proceeding. If the you do not complete enrollment, a prompt is displayed during the user's subsequent login.
-
Once an Administrator or Teacher enrolls in MFA they will be prompted to enter their MFA TOTP as part of each login.
-
Administrators can use the AdminMFAEnabled and TeacherMFAEnabled staff searches to determine who has or hasn't setup MFA. These searches can be used to help ensure compliance of district policies.
-
Administrators can disable MFA for a user from the Account Access and Affiliations and Admin Access and Roles pages if they have access to the page. An Administrator disabling MFA for a user will need to provide their TOTP code to prevent accidental disabling of a user's MFA. This allows for Administrators to reset a user's MFA in the event of a lost device.
-
Administrators control MFA enrollment behavior from the System Security Settings page. When the MFA Redirect on Login setting is enabled, administrators and teachers who have not enrolled in MFA are redirected to the MFA setup screen upon login. Existing users are not affected by the MFA Redirect on Login setting and can continue to use MFA to log in.
-
TOTP depends on the PowerSchool SIS server time being aligned with a Network Time Protocol (NTP) server, which is aligned with an atomic clock.
-
It is recommended that all administrators and teachers enable MFA on their accounts. Time-Based One-Time Password (TOTP) based MFA does not require a mobile device. Most password managers support TOTP-based codes, such as Apple Passwords, 1Password, Bitwarden, and Dashlane.