Enforcing 2FA for All Staff

We are seeing regular occurrences where a staff member's logon details have become compromised, resulting in unauthorised logons - often by students who have found out the password of a staff member. Additionally, there was recently a phishing campaign which tricked staff into going to a web site, showing a clone of the KAMAR logon screen. Unauthorised logons by students is a data breach which must be reported to the privacy commissioner and in many cases data was also changed. KAMAR's audit logging shows these unauthorised logons and their actions, but the damage has already been done.

These incidents have highlighted the importance of staff enabling 2FA on their accounts. Currently KAMAR only enforces this for users with high access to KAMAR, however on discussion and feedback from affected schools, we have decided to enforce 2FA for all staff users.

You can already do this yourselves, by entering a number in:

• Setup > Users > Security > Usernames and Passwords: Two Factor Authentication

From the Jan 2026 update, this field can no longer be blank. If blank, it will automatically be set to 90 days.