Know and understand two-factor authentication including its purpose and function

Safety and Security – Overview

Learning Objective

Know and understand the main safety and security issues covered in Cambridge IGCSE ICT (0417), including physical safety, e‑safety, data threats, authentication, encryption, firewalls, data‑protection legislation, backup, and the impact of emerging technologies. Be able to explain the purpose and function of two‑factor authentication (2FA) and how it can be implemented in a school environment.

1. Physical Safety of ICT Equipment

• Electrical safety – use mains‑rated plugs, avoid over‑loading sockets, keep cords away from water and foot traffic.
• Fire safety – keep devices away from heat sources, ensure working smoke detectors, and have a CO₂ or ABC‑type fire extinguisher suitable for electrical fires. Maintain a clear fire‑evacuation plan and regular fire‑drill practice.
• Ergonomics & trip hazards – place monitors at eye level, use chairs with back support, and keep cables tidy to prevent tripping.
• Surge protection – connect computers and networking equipment to a surge‑protective device (SPD) to guard against voltage spikes.

2. e‑Safety (Safe Use of the Internet)

• Maintain netiquette: be respectful, avoid cyber‑bullying, and think before posting.
• Protect personal information – do not share passwords, home address, or phone numbers on public sites.
• Recognise phishing – check the sender’s address, look for spelling errors, and never click unknown links.
• Identify and report cyber‑bullying or cyber‑stalking; know the school’s safeguarding procedure.
• Safe use of social media – keep profiles private, limit sharing of personal details, and verify the credibility of friends/contacts.
• Use reputable sources for school work and verify information before citing.

3. Security of Data – Common Threats

4. Authentication & Passwords

4.1 Password Best Practices

• Length: at least 8–12 characters.
• Complexity: mix of upper‑case, lower‑case, numbers, and symbols.
• Avoid common words, personal information, or repeated characters.
• Change passwords regularly and never reuse them across important accounts.
• Store passwords securely – use a reputable password manager rather than writing them down.
• Be aware of emerging password‑less authentication (e.g., magic links, FIDO2 security keys) which may appear in exam scenarios.

4.2 Types of Authentication Factors

4.3 Two‑Factor Authentication (2FA)

Purpose: To make unauthorised access much harder by requiring two independent pieces of evidence, even if one factor (e.g., a password) is compromised.

Typical flow:

1. First factor – Something you know: User enters password or PIN.
2. Second factor – Something you have or are: System prompts for one of the following:
   • One‑time code from an authenticator app (Google Authenticator, Microsoft Authenticator, Authy).
   • SMS or email containing a temporary numeric code.
   • Hardware token that generates a rotating code (e.g., YubiKey).
   • Biometric verification (fingerprint or facial scan).
3. Verification: Server checks both factors; access is granted only if both are correct.

School‑based example: A teacher logs into the school email system, enters their password, then receives a 6‑digit code on the Microsoft Authenticator app installed on their smartphone. The code is entered, and the session opens.

Advantages of 2FA

• Greatly reduces the chance of account compromise.
• Can be deployed at low cost using devices students already own (smartphones).
• Provides flexibility – users can choose the method that best fits their situation.

Limitations of 2FA

• Loss or damage of the second‑factor device can lock users out.
• SMS codes are vulnerable to SIM‑swap attacks and interception.
• Biometric data cannot be changed if compromised.

5. Encryption & Secure Transmission

• Encryption converts readable data (plaintext) into an unreadable form (ciphertext) using an algorithm and a key.
• Symmetric encryption – same key encrypts and decrypts (e.g., AES). Fast, used for bulk data.
• Public‑key (asymmetric) encryption – a public key encrypts, a private key decrypts (e.g., RSA, ECC). Enables secure key exchange and digital signatures.
• SSL/TLS (Secure Sockets Layer / Transport Layer Security) encrypts data exchanged between a web browser and a server, ensuring confidentiality and integrity.
• Websites using HTTPS display a padlock icon – this indicates that SSL/TLS is active and the connection is encrypted.
• Certificate Authorities (CAs) – trusted third parties (e.g., Let’s Encrypt, DigiCert) issue digital certificates that verify a server’s identity and enable SSL/TLS.

6. Firewalls & Network Security Basics

• Firewalls monitor and control incoming and outgoing network traffic based on predefined security rules. They can be hardware‑based (router/firewall appliance) or software‑based (Windows Defender Firewall).
• Common rule types:
  • Block all inbound traffic except for required services (e.g., web server on ports 80/443).
  • Allow outbound traffic only from trusted applications.
• Packet‑filtering vs. stateful inspection – packet‑filtering checks header information only; stateful inspection also tracks the state of connections for more accurate control.
• DMZ (Demilitarised Zone) – a sub‑network that hosts public services (web, mail) while keeping the internal network isolated.
• Firewalls help protect school networks from external attacks and limit the spread of malware.

7. Data Protection & Privacy Legislation

• Personal data – any information that can identify a living individual (name, address, ID number, etc.).
• Sensitive data – special categories such as health information, biometric data, or religious beliefs.
• Key principles (GDPR‑style):
  • Lawful, fair, and transparent processing.
  • Purpose limitation – collect data only for a specific purpose.
  • Data minimisation – keep only the data that is necessary.
  • Accuracy – ensure data is up‑to‑date.
  • Storage limitation – delete or anonymise when no longer needed.
  • Integrity & confidentiality – protect data with appropriate security measures.
  • Right to be forgotten – individuals can request deletion of their personal data.
  • Data‑breach notification – organisations must inform the supervisory authority (and sometimes the individuals) within 72 hours of a breach.
• Schools must obtain consent where required, keep records of processing activities, and provide individuals with rights to access, correct, or erase their data.

8. Backup & Recovery

• Follow the 3‑2‑1 backup rule: keep at least three copies of data, store them on two different media types, and keep one copy off‑site.
• Implement regular schedules – e.g., daily incremental backups and weekly full backups.
• Store one copy off‑site (cloud storage or a secure external location) to protect against fire, theft, or flood.
• Test restoration procedures periodically to ensure data can be recovered quickly.
• Encrypt backup media to keep stored data confidential.

9. Emerging Technologies & Security Implications

• Internet of Things (IoT) – smart lockers, classroom sensors, and wearable devices increase the number of “something you have” endpoints, making 2FA and strong network segmentation essential.
• Artificial Intelligence (AI) – can be used for sophisticated phishing (deep‑fake emails) and for automated threat detection in firewalls.
• Cloud‑based AI security services (e.g., Microsoft Defender for Cloud, Google Chronicle) provide real‑time anomaly detection and automated response.
• Schools should adopt security policies that address these new devices, including regular firmware updates and separate VLANs for IoT equipment.

10. Implementing Two‑Factor Authentication in a School Environment

1. Identify accounts that need protection (staff email, student portals, library system, admin databases).
2. Select a reliable 2FA method – authenticator apps are preferred over SMS for security.
3. Configure the chosen service to require 2FA for all users; enforce a minimum password strength.
4. Provide step‑by‑step guidance and classroom workshops on setting up the authenticator app and generating backup codes.
5. Establish a clear recovery procedure:
   • Issue one‑time recovery codes that can be printed and stored securely.
   • Designate a help‑desk process for verifying identity before resetting 2FA.
6. Monitor login attempts and review security logs regularly for suspicious activity.

Checklist for Teachers Before 2FA Roll‑out

• ✔ All staff have a compatible smartphone or a hardware token.
• ✔ Backup/recovery codes have been generated and stored securely.
• ✔ Password policy (minimum length, complexity, change frequency) is enforced.
• ✔ Support documentation and a help‑desk contact are available.
• ✔ A test group has completed a pilot and reported no access issues.
• ✔ Login‑attempt logs are set to retain at least 30 days for audit.

11. Key Points to Remember

• Physical safety, e‑safety, and data security are all part of the IGCSE “Safety and Security” syllabus.
• Authentication combines two independent factors – knowledge, possession, or inherence – to protect accounts.
• 2FA dramatically reduces the risk of unauthorised access, but a backup plan (recovery codes) is essential.
• Encryption (symmetric and public‑key) and SSL/TLS protect data in transit; CAs verify server identities.
• Firewalls (stateful inspection) and DMZs protect the network perimeter.
• Data‑protection legislation requires schools to handle personal and sensitive data responsibly, including the right to be forgotten and breach‑notification duties.
• Follow the 3‑2‑1 backup rule and test restores regularly.
• Emerging technologies such as IoT, AI, and cloud‑based security services bring new risks that must be managed.