/
Authentication with Passkey

Authentication with Passkey

A passkey lets users sign in to websites using the same method they use to unlock their mobile device, such as biometrics, a PIN, or a pattern.

Registering Passkeys

Make sure you have a device that supports passkey authentication. Currently Yubikey, fido2-compatible tokens, Android (with Android 9 or later) and iPhone with iOS 16 and later (iPhone X and later) support passkey authentication.

To register a passkey, 

  1. Login to https://onlineservices.concordia.ab.ca with your account.

  2. Navigate to My Account -> Change Password & MFA

Under Multi-Factor Authentication section, select Hardware Key and Passkey from the “Please select your desired multi-factor authentication method” drop down menu.

  1. Click Add Device button

  2. Enter a Device Description and click Next

  3. Click Next
    A windows Security dialog box pops up.

 

At this point the procedure is different for each type of device.

Registering a hardware token (video tutorial)

If you are registering a hardware token (ie., Yubi key or other fido2-compatible token), 

  1. Insert your hardware token, if you have not already done so

  2. Choose “Security Key” and click Next in the Windows Security: Security key setup dialog box that show up

  3. Click OK and then follow the instruction of the dialogue boxes
    If your hardware token is not protected with a password you will be asked to create a new pin. NOTE: You are not limited to numbers when you create the pin. It is more like a password with at least 6 characters.

     

    If you have a protected key, you will be asked to enter the protection pin for it.

  4. Enter the protection pin and click OK.
    You will be asked to touch the key.

  5.  If at the end, the browser asks for permission for extended information about your security key, click Allow.

Registering Passkey on iPhone and Android (video tutorial)

If you are registering an iPhone or Android phone,

  1. Select iPhone, iPad, or Android device and click Next
    A Windows security dialog box with QR code will popup

  2. Scan the QR code with your phone.

  3. Follow the prompts on your phone

  4. You will see a confirmation message when the passkey has been saved to your phone.

 

Using Passkey to Login to CUE SSO

Once you have a registered passkey, you can use it to login to any web service that uses CUE SSO.

On the CUE SSO page, click on the username field to enter your CUE email address and then type in your password.

image-20250707-191124.png

 

The Windows Security dialog box pops up asking you to choose a passkey device.

Choose your device and follow the instructions.

Video Tutorial on how to use a passkey saved on your phone.

Video Tutorial on how to use a passkey saved on a hardware device (ie., Yubi key or other fido2 compatible token)

Passkey FAQ

Question:  I have a passkey successfully registered on my computer but I want to sign in to CUE SSO on my phone and the browser on my phone does not support passkey login (the tooltip does not popup when I click on the username field). What should I do?

Answer:  If the platform you are using does not support passkey login, you have to login with your username and password. The passkey then becomes a second factor authentication you will be asked after your username and password is verified.

Question: When I login with passkey on my hardware token, I am prompted to choose from a list of multiple email addresses. What is going on and what do I do?

Answer: That may happen if passkeys are registered multiple times using the same hardware token. An example scenario would be if a registered passkey on the hardware token is removed from our key server and then re-registered. Removing the passkey from our key server does not remove the passkey from the hardware token. So, when another passkey is registered with the same username on the same hardware, there will be multiple passkeys on the device with the same username but the old one will not work. To avoid this, reset the hardware token then the passkey on it is removed from the key server. WARNING: Resetting a hardware token removes everything on it including the protection pin.

Question: How do I reset my hardware token/key?

Answer: To reset all information from a hardware key, have your hardware token plugged in, and please do the following steps:
WARNING: Resetting a hardware token removes everything on it including the protection pin.

From the Windows search box, type in Sign in options

image-20250707-144641.png

Click on Sign in options
Click on Security key -> Manage
Touch your hardware token
Click on Reset
Click on Proceed
Unplug your hardware token
You will be prompted to reinsert your hardware key. Touch your security twice within 10 seconds of the message
A message indicating a successful reset of your hardware key would be displayed. Click on OK.

Question: Do passkeys persist across different phones?

Answer: Yes, passkeys are designed to sync and persist across different devices, including different phones. They are not tied to a single device like a password or traditional biometric authentication. Once a passkey is created and registered, it can be used on any of your devices that are linked for passkey authentication.
If you create a passkey on your old phone, it will be synced to your Apple ID or Google Account. When you get a new phone, you can use that passkey to sign in to your accounts on the new phone, provided the new phone is also linked to the same Apple ID or Google Account. As always, you will be prompted for your fingerprint, face unlock, PIN or pattern on the new phone to verify your identity.

Question: Should I sync my hardware key to my CUE account?

Answer: NO, your authenticator key's unique secret is designed for local, secure storage. Do NOT attempt to 'sync' the key itself with your CUE account, as this can compromise its security or lead to loss of access. If you want to set up a form of back up access, either set up a phone-based authenticator app, or another hardware key.