Overview

Introduction

SLAC is implementing Cardinal Key password-less authentication service.  This feature allows you to access websites without entering your username and password. The service relies on a unique certificate placed on your computer and uses the familiar Duo second-factor prompt. It is far more secure than simple username+password access since authentication is based on the combination of you and your specific machine.

Cardinal Key only works with websites that use your Stanford SUNet ID for authentication. Over time, many services you now access with your SLAC ID will accept your SUNet login instead and hence will work with SLAC Cardinal Key.  At the moment, these SUNet-authenticated services work with SLAC Cardinal Key, with many more planned:

• Zoom
• Google Docs
• axess.stanford.edu

How does it work?

The enrollment process places a certificate on your machine that is unique to the combination of you and your machine. When you access a Cardinal Key-aware service, the login process will look for the Cardinal Key certificate on your machine. If it finds one, it will initiate a Duo multi-factor prompt and let you into the services.

As a convenience, the SLAC Cardinal Key installation process also sets up EDUROAM access on your computer, which provides automatic access to WiFi when you visit Stanford or hundreds of other EDUROAM institutions.

SLAC Cardinal Key will initially support macOS and Windows.  iOS support is under development. We also want to support Android and Linux, but those are more challenging at present.

Cybersecurity Compliance

To participate in SLAC Cardinal Key, devices must meet some basic cybersecurity requirements.

• The device must be owned by SLAC and have the correct information in the Property Control database regarding custodian, location, etc.
• SLAC IT must actively manage the device
• The device must be running a current, supported version of its operating system
• Disk encryption is required
• Crowdstrike must be installed and active

In addition, your computer must have WiFi. 

If your machine doesn’t meet any of these requirements, you’ll be notified when you go to log into a Cardinal Key-aware service. You’ll then need to log in with your username and password - i.e., the old-fashioned, less secure way.  You should also open a ticket with the IT Service Desk, and relay the contents of the "Cardinal Key Status" failure message, so they can assist in remediating your machine.

How to Enroll

SLAC Cardinal Key is currently live and available for SLAC managed Windows and MAC pcs. 

• Shared and virtual machines are not supported
• Machines that are not centrally managed are not supported

Select one of the following links for steps on how to install SLAC Cardinal Key:

• Mac - Cardinal Key Setup
• Windows - Cardinal Key Setup

The Future of SLAC Cardinal Key

Password-less authentication offers more than convenience. It's a much more secure authentication method than username+password, providing a layer of defense against breaches leveraging credentials stolen via phishing. Also, cybercriminals and other adversaries have learned to subvert multi-factor authentication, often by tricking users. For these and other reasons, Stanford University now requires Cardinal Key authentication for critical IT services, including email access. SLAC will follow suit at some point.

In the summer of 2022, DOE's top priority for the national labs is to implement "zero-trust network access," an access management strategy that assesses the risk level of every requested connection in real-time. Decisions consider both the sensitivity of the requested resource and the requestor's cybersecurity posture. SLAC Cardinal Key is an integral part of SLAC's ZTNA strategy.

In SLAC's initial implementation, SLAC Cardinal Key is only available for SLAC-owned machines. However, the service will also be made available to personally owned devices at some point in the future, as is done at Stanford.

Read more

• Mac - Cardinal Key Setup
• Windows - Cardinal Key Setup