How to secure a school portal login

How to secure a school portal login

Keeping your school’s KiddyCash account secure is more than just a strong password — it’s about layering protections so that even if one safeguard is bypassed, others hold. Whether you’re managing a single-campus school in Nairobi or coordinating multiple branches across counties, these steps help you stay in control of who accesses your school’s data, student wallets, and financial records.

Step-by-step: Strengthen your school portal security

1. Set up security questions

Security questions act as a recovery layer if your primary login is ever compromised. Go directly to your security settings and choose questions that are specific enough to be hard to guess but memorable enough that you won’t need to look them up. Avoid publicly available answers — things like your school’s founding year or its town are easy to find online.

Pick at least two questions and store the answers somewhere offline, especially if multiple administrators share account access.

2. Review and rotate your account PIN regularly

Your PIN is a fast-access credential used across the platform — for approving transactions, confirming allowance disbursements, and authorizing KES payouts via M-Pesa. Because it’s used frequently, it’s also the most likely to be exposed.

Follow the steps in how to change your account PIN to rotate it every school term. Don’t reuse PINs across terms, and never share your PIN with support staff — KiddyCash will never ask for it.

3. Know how to recover a lost PIN without panic

If a PIN gets lost mid-term — common when staff changes happen — you don’t need to lock down the whole account. Use the PIN reset guide to walk through the recovery flow quickly. Having your security questions already set up (step 1) makes this process significantly faster.

4. Audit who has admin access

More admins means more exposure. Go to your school’s user management section and review which staff members have full administrative rights versus limited access. Restrict permissions to the minimum needed — a bursar doesn’t need the same access as the principal. Remove accounts for staff who have left the school immediately.

5. Monitor transaction activity regularly

Check your transaction logs at least weekly. Unusual activity — like allowance reversals, unexpected wallet top-ups, or unrecognized transaction codes — can signal unauthorized access before it escalates. If you’re on a subscription plan that includes advanced reporting, use it. For context on what your subscription tier covers, see what’s new in subscriptions in KiddyCash and a closer look at subscriptions in KiddyCash.

6. Use a dedicated device or browser profile for portal access

Avoid logging into the schools portal on shared devices or personal phones that students or other staff routinely use. If you must use a shared machine, always log out fully rather than just closing the browser tab — cached sessions are a common overlooked vulnerability.

7. Enable login notifications

If your account supports login alerts, turn them on. You’ll receive a notification whenever a new session is started, giving you an early warning if someone else is accessing your school’s portal without your knowledge.

A note on KYB and account integrity

Your school went through a KYB (Know Your Business) process to get verified on KiddyCash. Keep the registered contact details — including the primary email and phone number tied to M-Pesa — current and accurate. Outdated contact information is one of the most common reasons administrators get locked out and struggle to recover access.

Related articles

• /kb/how-to-change-your-account-pin
• /kb/how-to-reset-a-lost-pin
• /blog/what-s-new-in-subscriptions-in-kiddycash
• /blog/a-closer-look-at-subscriptions-in-kiddycash