Anyone who has managed IT security for a school knows the particular frustration of policies that make perfect sense individually and create an impossible situation together.
On one side: the mobile phone ban. Increasingly common in Australian schools, backed by mounting evidence that phones in classrooms harm attention, learning outcomes, and student wellbeing. A sensible policy with broad community support.
On the other side: mandatory multi-factor authentication. Required by cyber insurance providers, driven by the documented surge in cyberattacks targeting educational institutions, and non-negotiable for schools that want coverage. Also a sensible policy with serious consequences if ignored.
As schools and educational institutions strengthen identity security to meet rising cyber insurance requirements, attackers are increasingly shifting toward human-targeted compromise methods that bypass traditional defenses altogether. AI-driven phishing, credential theft, and impersonation attacks are compressing the time between deception and breach, particularly in environments managing large distributed user populations across hybrid cloud infrastructure. The Deepfake to Breach: SMB Playbook for Identity Attacks explores how modern identity attacks now operate as coordinated attack chains and outlines a practical six-step response framework designed to help organizations improve operational readiness, reduce exposure, and strengthen authentication resilience before incidents escalate into full-scale breaches.
The problem is that every mainstream MFA solution on the market assumes the second factor lives on a mobile phone. SMS codes. Authenticator apps. Push notifications. All of them require a device that the school has just told students to leave at the door. Nazareth College in Melbourne was sitting squarely in that contradiction. Lydsec Keypasco and their Australian distribution partner Auspac One just solved it and the solution they deployed is drawing attention from schools across the country.
A Problem That Is Bigger Than One School
Before getting into what Keypasco built and how the Nazareth College deployment worked, it is worth understanding why this particular problem exists at this particular moment in Australian education.
The cyber threat facing schools has changed significantly over the past several years. Educational institutions were once considered relatively low-value targets by sophisticated threat actors. That assumption no longer holds. Schools hold sensitive personal data on students and families. They run financial systems. They manage payroll. They connect to government networks and, in some cases, defense-adjacent research and administration frameworks. And they typically run those systems with IT teams that are considerably smaller and less resourced than the corporate environments facing similar threats.
Campbell Pan, co-founder of Auspac One, has watched this shift play out directly in the Australian market. The education sector has experienced a measurable increase in cyber incidents in recent years credential theft, ransomware, and account compromise attacks that exploit exactly the kind of authentication weaknesses that MFA is designed to close.
Insurance providers have noticed. The cyber insurance policies available to Australian schools increasingly carry explicit MFA requirements as a condition of coverage. Schools that cannot demonstrate compliant authentication infrastructure face either significantly higher premiums, reduced coverage terms, or outright exclusion from policies they depend on to manage their financial exposure to cyber incidents.
So the mandate is real. The pressure is genuine. And the tool that was supposed to solve the problem mobile-based MFA is sitting in a locker outside the classroom door.
What Keypasco Actually Built And Why the Architecture Matters
The insight behind Keypasco’s approach is straightforward once you hear it, but it required a fundamental rethink of where the second authentication factor should live.
Every student at Nazareth College already carries a primary learning device into class every day. A laptop. That device is registered to the student, connected to the school network, and actively used for legitimate academic purposes. It is, in every meaningful sense, a trusted device with a clear and documented relationship to its user.
Keypasco’s patented device-binding technology shifts the MFA mechanism from the mobile phone to that laptop. The authentication factor does not live in an app on a phone that is banned from the building. It lives in a cryptographic binding between the user’s credentials and their registered learning device a binding that is specific to that device, cannot be transferred, and does not require any additional hardware to function.
For Nazareth College’s IT leadership, the implications were immediate and practical. Milhem Nassour, IT Head of School, was facing the prospect of either issuing physical hardware tokens to 1,100 students with all the procurement cost, replacement logistics, and helpdesk overhead that entails or finding an authentication solution that worked within the school’s existing device infrastructure.
Keypasco eliminated that choice. The device students already use for learning becomes the authentication device. No tokens to procure. No tokens to replace when lost or damaged. No additional hardware to manage, track, or budget for.
How the Nazareth College Deployment Actually Worked
The practical details of the deployment matter as much as the concept, because they reveal why this solution is generating interest beyond a single successful case study.
Nazareth College runs a hybrid environment a combination of on-premises infrastructure including Windows domain controllers and cloud-based services built around Microsoft 365. This is an extremely common architecture for Australian schools, and it is also one of the more challenging environments to secure with conventional MFA solutions because it requires authentication to work consistently across both the local network and cloud services without friction that disrupts teaching and learning.
Keypasco’s solution integrated directly with the existing on-premises domain controllers while simultaneously securing the Microsoft 365 environment. The school did not need to replace or significantly restructure its existing infrastructure to accommodate the new authentication model. The platform supports both Windows and macOS devices, which matters in an environment where students may be using either platform depending on year level, subject, or personal device policies.
All 1,100 student devices were brought under centralized, secure management through the deployment. The authentication framework that cyber insurers require is now in place. The phone ban policy remains intact. And the IT team is not managing a hardware token program across more than a thousand students.
Cindianne Lin, General Manager of Lydsec Keypasco, noted that the Nazareth College deployment directly addresses one of the most significant security gaps in Microsoft 365 deployments within specialized education environments a gap that exists not because schools are unaware of the risk but because the available solutions have not fit the infrastructure constraints those environments actually run within.
Why the Token Alternative Was Never Really a Solution
It is worth spending a moment on why physical hardware tokens the most common alternative to mobile-based MFA in environments where phones are restricted create problems of their own in a school setting.
Hardware tokens are expensive to procure at scale. For a school with 1,100 students, even a modest per-unit cost compounds quickly into a significant budget line item. That cost recurs every time a token is lost, damaged, or needs to be replaced because a student has left the school or a new cohort has enrolled.
The logistics overhead is substantial. Tokens need to be distributed at the start of the year, collected at the end, tracked throughout, and replaced on an ongoing basis. Each lost token creates a helpdesk ticket, a procurement request, and a window of time during which the student either cannot authenticate or is operating outside the secure authentication framework.
In a school IT environment where the support team is typically small and responsible for an enormous range of systems and user needs, that ongoing token management burden is not a minor inconvenience. It is a continuous drain on remediation execution capacity time and attention that should be directed toward active security management and infrastructure improvement rather than hardware lifecycle administration.
Keypasco’s device-binding approach eliminates the token lifecycle entirely. The authentication credential is tied to the device the student already has. When a student leaves the school, the device binding is revoked. When a new student enrolls, their device is registered. The entire process runs through existing deployment management pipelines rather than requiring a parallel token tracking and distribution program alongside it.
The Broader Market Signal for Australian Education
The Nazareth College deployment is generating the kind of attention that tends to follow a genuinely clean solution to a problem that many people in a market have been struggling with simultaneously.
Discussions for partnerships with additional schools across Australia have already accelerated following the completion of the initial Melbourne deployment. The education sector dynamic that made Nazareth College’s situation difficult is not unique to that school. It is the common condition of Australian schools navigating the intersection of device policies, cyber insurance mandates, and constrained IT resources.
The market opportunity extends beyond secondary schools. The same authentication challenge applies to primary schools with device management requirements, TAFE institutions, and university environments managing large, distributed student populations across hybrid infrastructure. The hybrid cloud architecture that Keypasco’s solution supports is standard across Australian education at every level.
Lydsec Keypasco has also signaled that the application of this authentication model is not limited to education. Corporate environments with clean-desk policies, secure facility requirements, or bring-your-own-device frameworks that restrict personal phone use face structurally similar workflow coordination challenges around authentication. The device-binding approach that solves the school phone ban problem translates directly to any environment where the conventional assumption that a mobile phone is always available and always appropriate as an authentication factor does not hold.
What This Means for Schools Still Caught in the Contradiction
For the IT directors and school administrators still navigating the space between their phone ban policy and their cyber insurance requirements, the Nazareth College deployment offers something more useful than a concept: a proven, at-scale implementation with documented outcomes.
Eleven hundred devices. Hybrid cloud and on-premises infrastructure. No hardware tokens. No phone dependency. Full compliance with the MFA requirements that insurers mandate. And a deployment that did not require the school to rebuild its existing IT architecture from the ground up to accommodate it.
The cyber threat facing Australian schools is not diminishing. The insurance requirements reflecting that threat are not becoming less stringent. And the community consensus around limiting phone use in classrooms is, if anything, strengthening as the evidence base supporting those policies grows.
Research and Intelligence Sources: Lydsec Keypasco Digital Technology
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
