Higher education identity gaps: why campus controls keep failing

TL;DR: Columbia University’s 2025 breach exposed 1.6 gigabytes of sensitive data from 2.5 million student applications, underscoring how weak identity verification, legacy MFA, and inherited vendor trust continue to make universities attractive targets, according to 1Kosmos. Identity-first security now matters because campus risk is being driven by who can authenticate, not just which systems can be reached.

NHIMG editorial — based on content published by 1Kosmos covering Columbia University’s breach and higher education identity security: Campus identity security gaps are putting student data at risk

By the numbers:

• Attacks targeting universities have surged nearly 70% since 2023.
• Institutions are now facing an average of over 2,500 cyberattack attempts each week.

Questions worth separating out

Q: What fails when university identity proofing is too weak?

A: Weak proofing turns account recovery into an attacker entry point.

Q: Why do universities need phishing-resistant authentication for high-risk access?

A: Because conventional MFA still depends on credentials or prompts that attackers can intercept, fatigue, or replay.

Q: How do campus identity controls fail in distributed environments?

A: They fail when the institution trusts the network, the device, or the help desk more than the actual identity.

Practitioner guidance

• Harden account recovery workflows Replace knowledge-based reset steps with stronger proofing for staff, faculty, and students, especially for help desk initiated recovery.
• Prioritise phishing-resistant authentication Move privileged, registrar, finance, and research access to FIDO2 or equivalent phishing-resistant methods before expanding coverage to the wider campus.
• Review third-party identity lifecycles Map every vendor account with access to student, research, or administrative systems, then recertify and offboard those identities on a defined cadence.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The help desk verification pattern used to reduce password-reset abuse in university environments.
• Step-by-step identity-first access controls for campus users, faculty, and third-party providers.
• Operational guidance for integrating biometric verification and passwordless login into existing university systems.
• Compliance considerations around FERPA, HIPAA, and federal identity assurance standards.

👉 Read 1Kosmos's analysis of the Columbia University breach and campus identity risk →

Higher education identity gaps: why campus controls keep failing?

Explore further

View Full Forum →  |  NHI Foundation Course →