Join InCommon

Duke Unlock: One-step Multi-factor

Passwordless Authentication with Shibboleth and WebAuthn

Passwordless Authentication with Shibboleth and WebAuthn

By Mary McKee and Shilen Patel (both of Duke University)

(Note: This is the second in a series of blog posts highlighting key sessions at this year’s Technology Exchange (TechEx), December 9-13, 2019, in New Orleans).

Multi-factor doesn’t have to mean multi-step.
 
Duke Unlock lets you access your Duke account as easily as you unlock your phone. Unlike current multi-step login methods, Duke Unlock opens the door to enhanced convenience while retaining credential security by using your trusted device’s native capabilities in place of a password and secondary verification process.
 
Based on the W3C’s Web Authentication (WebAuthn) specification and integrated with Shibboleth, Duke Unlock started with the observation that passwords weren’t carrying their weight on account protections.  The service allows you to register (“unlock”) trusted devices to verify your identity.
 
Students, staff, faculty, and affiliates across Duke are trialing Unlock for production access to services, and we plan to share the results of our pilot during a session at the 2019 Technology Exchange, December 9-13, 2019, in New Orleans.
 
We’ll begin this session with an overview of the technology and drivers behind Duke Unlock, progressing through iterations of the service and how usability research (and unexpected challenges) shaped the features and targets of each phase up to present day.  From there, we’ll discuss how Unlock fits into security policies and share our plans for formalizing the service as a mainstream offering.
 
It’s not every day that we have a chance to do something that makes everyday campus life secure and convenient.  Please join us for an interactive conversation about how we can streamline and secure login across the R&E community.  We look forward to talking with you!