Carolina Key is a new feature of the UNC web-based single sign-on (SSO) that can utilize device-specific authentications such as fingerprint or face recognition. When used along with your Onyen, Carolina Key eliminates the need to use your password when logging into many web applications.
Here are some key benefits of Carolina Key:
- Safety – your Carolina Key is resistant to one of the society’s biggest digital risks: phishing
- Speed – you can quickly sign on with a scan of your finger or face alone; no waiting for a two-step text or call
- Mobile – Carolina Key is supported across both Android and Apple ecosystems. Passkey even allows for synchronization across all of your devices so that any of your devices can be used to sign on.
- Simplicity – Reduces the need to manually create and enter complicated passwords
- Privacy – if you choose to use a biometric, your device handles the biometric natively and Carolina Key is unaware of how your authentication was performed
How does it Work?
When you use a Carolina Key, you will be able to skip entering your password because you have set up a different authentication method. Authentication methods supported include using a PIN, using a biometric such as a depth map of a face, or use of your fingerprint. Use of biometrics is optional for anyone who wants to use this service. You can also use authentication methods that require a physical security key, like a YubiKey or FIDO (fast identity online) key. Your personal information remains on your device and is not uploaded to the University. The authentication methods are only used to unlock local security information and to validate challenges from the SSO server.
The device you are working from determines the authentication methods available to you. Carolina Key uses a new technology called WebAuthn, which has varying levels of support for different combinations of operating systems and browsers. See the “Devices and Authentication Methods” section below to check whether your OS, browser, and authentication method are supported.
Carolina Key works with UNC’s web-based applications that use single sign-on (SSO). You won’t see a Carolina Key login option for Office 365 applications like Heelmail, because they don’t use SSO.
Devices and Authentication Methods
Windows 10
Windows 10 Hello for personal Windows-based computers
- PIN
- Facial Recognition
- Fingerprint Scanner
Windows 10 Hello for Business for UNC-issued, Windows-based computers
- PIN
- Fingerprint Scanner
- Facial Recognition (it will not be enabled on UNC-issued computers.)
USB Security Compliant Key
- YubiKey (version 5)
- FIDO compliant security key
Supported browsers
- Firefox
- Chrome and Edge (may have issues with Incognito mode)
macOS
Mac Laptops and Desktops
- PIN
- Facial Recognition
- Fingerprint Scanner
USB Security Compliant Key
- YubiKey (version 5)
- FIDO compliant security key
Supported browsers
- Chrome
- Safari
- Firefox (it is not supported)
Linux
USB Security Compliant Key
- YubiKey (version 5), supported on Chrome
iOS
Apple iPhone and iPad
- PIN
- Facial Recognition
- Fingerprint Scanner
Android Devices
- PIN
- Facial Recognition
- Fingerprint Scanner
Enrollment
During this initial pilot period, the link to the registration site will be given to you by email. Clicking on the link will take you to the registration site. You will need to log in with your Onyen and password, plus use your Duo second factor to access the site.
Registering a Carolina Key
To register a new Carolina Key:
- Click the Begin Carolina Key Setup button and follow the instructions on the screen.
- A popup window will ask for a Device Nickname, and automatically populate with a best guess based on your system. This nickname can be used to identify this particular registration, if you have multiple keys registered.
- After the nickname is satisfactory, click on Save.
- The prompts that come up after this will be specific to your machine, browser, and the authentication methods you have available.
Registration errors
Because WebAuthn is a newer technology, it has varying levels of support inside each browser. It is best supported on newer operating systems and mobile devices, and with the latest version of Chrome, Safari, or Firefox. If there are no authenticators available to use, or if Carolina Key isn’t supported on your machine or browser, you may see an error message, or you may see a prompt to “touch your security key” when you don’t have a YubiKey plugged into your machine. You can try to use a different browser, but if you get the same result it may mean that Carolina Key isn’t supported on your device.
Managing Your Keys
If you have existing keys registered, you will see a list of them at the bottom of the page. Each key can be renamed or deleted. Once a key is deleted, it will no longer be available for login.
Logging In
During this special pilot testing period, the Carolina Key option will not be initially visible on the Single Sign-On login page. Only after entering your Onyen will the system be able to identify that you have keys registered, and present the option for a passwordless login.
- Type your Onyen, then press Enter.
- Click on the Carolina Key (Passwordless) Login button.
- Authenticate with your Carolina Key. The authentication popup window should look similar to when you registered a key for the same device you log in from. If you have more than one Carolina Key set up, you may see an option to view more choices for authentication.
If authentication was successful, the SSO login page will go away. If your application does not require multi-factor authentication (MFA), you should now be logged in. If the application does require MFA, you will need to authenticate on the Duo form first.
Frequently Asked Questions
Q: What is Carolina Key?
A: Carolina Key is a new feature of the UNC web-based single sign-on (SSO) that can utilize device-specific authentications such as fingerprint or face recognition. Carolina Key uses a new technology called WebAuthn, which is a standard for browser to utilize an operating system’s authentication methods.
Q: Does this mean I won’t need to have a UNC password anymore?
A: You will still need to use your password for applications that don’t use the UNC SSO page. The most commonly used systems like this are Office 365 web applications. You will also need your password if you are using the SSO page from a device you have not registered a Carolina Key with. Registered keys are associated with a particular machine.
Q: If I don’t want to log in with Carolina Key, can I still use my password?
A: Yes, Carolina Key is optional. You can still use your password if you want to.
Q: What is an authentication method?
A. An authentication method is the way you authenticate your login. The device you are working from determines the authentication methods that are available to you. To see accepted devices and their authentication method companions, see the Devices and Authentication Methods above.
Q: Does UNC provide security keys like a YubiKey?
A. At this time UNC doesn’t provide authentication devices such as security keys.
Q: How long does my authentication method last?
A. With the Carolina Key policies currently in place, each registration will last a year, after which time you will be asked to renew your authentication method.
Q: Can I register a key on one machine or mobile device, and log in from another device?
A: Yes. This is called PassKey, a cloud synchronizing technology offered by both Google and Apple that allow you to use Carolina Key across all your devices when using an iCloud or a Google account. You should not use PassKey if you share devices.
Q: What if my Carolina Key is a security key and I don't have it with me when I go to log in?
A: No problem! You can still use your UNC password to log in.
Q: Are there any additional precautions to take when using Carolina Key?
A: While Carolina Key is much more secure than a password, there are some threats to consider. Thieves are increasingly interested in what your device has access to, so make sure to be careful of entering your device PIN around others or leaving your device unlocked in a public setting. If your device is stolen, be sure to make a police report and consider your passwords and Carolina Key at risk. Lastly If you use PassKey, make sure to use a strong password and multi-factor authentication to protect your iCloud or Google account. Additionally, make sure to have a display auto-lock or device lock enabled so that all of your devices are locked when not in use.