In the first article in this two-part series, we explored the industry-wide move to a passwordless system. In this article, we’ll look at a future without passwords for UNC-Chapel Hill.
October is Cybersecurity Awareness Month. All month long, ITS News will highlight this year’s theme: See yourself in cyber. In this article, seeing yourself in cyber means understanding the cat and mouse game of cybersecurity and how you fit into it. To learn more about other ways to see yourself in cyber, visit Safe Computing at UNC.
ITS began piloting passwordless Onyen logins in Spring 2021 beginning with campus IT staff before expanding to a student pilot. Starting this week, all students can enroll in the Carolina Key passwordless login program.
Passwordless logins work by swapping your insecure and easily lost password with strong device-based authentication called a passkey. This means big changes to how you log in. Instead of being asked to type your Onyen password, you’ll be asked to provide your passkey.
Passkeys are cryptographic tokens you store on devices like smartphones, smartwatches, laptops and tablets. Using either a PIN, physical security key, or the built-in biometric sensors on your device, like facial recognition or fingerprint scanning, you easily unlock and send your passkey to the requesting site.
Sending your passkey is much more convenient than typing a password — and it’s more secure. With passkeys, your login credentials are stored on your device. They’re never sent to the site you’re logging in to. This means they can’t be stolen off a hacked server or intercepted in transit. Basically, you are more in control of your own credentials.
Why Carolina Key?
At UNC-Chapel Hill, strong security is essential. According to Mel Radcliffe, interim Chief Information Security Officer in the Information Security Office, Carolina is under constant threat from hackers and other bad actors.
Colleges and universities are valuable hunting grounds for hackers, criminals and even hostile foreign governments. Why? We store lots of valuable information, including credit card, bank account and payment data, health information and personally identifiable information that can be used for identity theft. We also conduct cutting-edge scientific and medical research that can be sold to the highest bidder. While all colleges and universities are under attack, the fact that UNC-Chapel Hill is internationally recognized as a leading research university makes us an especially large target.
Radcliffe said that phishing represents the largest threat to University systems because it targets what some consider the weakest point in our cybersecurity — us.
Passkeys like Carolina Key are virtually impervious to phishing attacks. Phishers try to steal passwords, but with passwordless logins, there’s no password to steal. With our devices as our logins and those logins protected with biometrics or PINs, hackers are shut out.
An early adopter
Passwordless logins have existed for years. For example, you may be using FaceID to verify a download from the App Store. But these passwordless logins haven’t been widespread or useful across multiple sites or operating systems.
Earlier this year, Google, Apple and Microsoft agreed to expand their support for passwordless logins and passkeys using an open standard, known as FIDO2, or Fast Identity Online. The expansion of support will make it easier for you to register for and use passkeys.
While the industry announcement made news earlier this year for pushing passwordless logins into the mainstream, it was a concept already in the works at UNC-Chapel Hill. ITS began planning and development for passwordless logins at Carolina years ago and has been testing the Carolina Key since early 2021.
“There have been a few other universities that have deployed this earlier, but we’re definitely in the leading edge here,” said Celeste Copeland, IT Manager for ITS Identity Management. “Word has already gotten out to our colleagues,” she added. “There’s a lot of interest in what we’ve done.”
Teams across ITS have been involved in the development and rollout, including Identity Management, the Information Security Office and Project Portfolio & Change Management.
About Carolina Key
Developing Carolina Key has been a complicated project, requiring development of new processes to support more than just passwordless logins. Right now, Carolina Key works on services that use Single Sign-On, which means you will still need your password for Microsoft logins and a few other services across campus.
Because of the high level of security that passkeys provide, Carolina Key doesn’t just replace your password — it also replaces Duo 2-Step Verification when used with SSO. This means added convenience when you log in to Duo-protected services that also use SSO, like some parts of ConnectCarolina.
Carolina Key is available for Windows, Mac, iOS and Android devices. Register each of your devices that you regularly use to log in to UNC-Chapel Hill systems. Device registration is valid for one year and you can enroll new or unenroll old devices any time. If you leave your enrolled device at home, forget your PIN, or log in to a new machine, no problem. You can still log in with your password (and use Duo, if required).
Starting with students
Carolina Key will first be available to students, including employees with a student designation, before rolling out to the rest of the Carolina community sometime in Spring 2023.
Starting with students lays the groundwork for expanding access to everyone at Carolina.
“Before we can open up Carolina Key to all staff, faculty and affiliates, we will need to complete the deprovisioning process for Carolina Key,” said Copeland.
Deprovisioning is the process of programmatically removing access to systems after a user is no longer affiliated with the University. This happens after a student graduates or after an employee separates from employment.
“Students can go earlier because they have a longer grace period for deprovisioning the Onyen, so we have some time there,” Copeland said.
“We have to have some foundational components in place first, such as Microsoft Windows Hello for Business which is an additional prerequisite to deploy on a large scale,” added Alex Everett, Information Security Operations Manager with the ITS Information Security Office.
Students also tend to be early technology adopters, making them an easier group to start with. “Many students have the technology and use it on a daily basis for other applications, especially on their smartphones,” Everett said.
What you can do now
While Carolina Key isn’t yet available for Carolina faculty and staff, there are a few things you can do to get ready.
If you’re a Windows user, proactively set up Windows Hello for Business on a University-owned machine. You’ll be ready for Carolina Key when it’s your turn to enroll and signing up now has a bonus. With Windows Hello for Business, you can skip typing your password. Instead, log in to your Windows machine using a PIN or fingerprint.
For other compatible systems like Mac, Android and iOS, set up is easy. If you have biometrics like facial or fingerprint recognition set up on the device, you’re ready for Carolina Key.
Prefer not to use biometrics but still want the increased security and convenience of passwordless logins? You have another option. You can purchase a FIDO-compliant security key from companies from YubiCo.
For more information and enrollment information, visit Carolina Key.