If you have problems using your Secure Connect passkey, start with the following suggestions.

For Students

Secure Connect passkeys are only available to faculty and staff. Students currently can't get a passkey through Beyond Identity at Cornell.

Passkeys Don't Work for VPN or Outlook/Office Online

At this time, VPN and services that use Microsoft Azure login (like Office online) will still require a password and two-step authentication. Most CUWebLogin services will work with your passkey.

• Basic Setup

  The situations described in this section are organized from "most common" to "least common". Please read through the complete list.

  First step: confirm that your device has a passkey

  Check that the device you're using has a passkey installed. Use the Beyond Identity self-service portal to view your list of passkeys and devices. Find the link to the self-service portal on Step 1 here. (Requires a login.)

  If needed, you can add another device to your Secure Connect account, or set one up for the first time on a Cornell-managed device, or on a personal device. (Requires a login.)

  Each device you want to use with one-touch login at Cornell needs to have its own passkey.

  My Windows Device is Slow to Authenticate

  This is a known issue that we are resolving with Beyond Identity.

  I had to reset my password and Secure Connect doesn't work (macOS)

  A password reset on a macOS device changes the account password without requiring the old password. This can cause the Secure Connect authentication process to break. Follow the steps on this page to fix your passkey on the affected device.

  My Biometric Device Isn't Working and I Can't Authenticate 

  Use a different browser to access the service. If all of your browsers are set to use passkeys, then open one of them in "incognito" or "private" mode to access the system with your NetID, password, and Duo login.

  Beyond Identity Isn't Working

  When you set up your passkey, you start using it with a specific browser. If you switch browsers, you need to check "Always Sign In with Passkey" on the new browser.

  

  Similarly, if you use a browser with different profiles (for example, "work" and "personal"), it can act like a completely new browser for passkey login. Switch to the profile that you use your passkey with to fix the problem. 

  If all of your browsers are set to use passkeys, you can open one of them in "incognito" or "private" mode to access the system with your NetID, password, and Duo login.

  Beyond Identity keeps asking for a computer password

  Every time you try to use CUWeb Login, you will see a prompt asking you to enter your device's password instead of your fingerprint. This happens if you cannot access a biometric device on Cornell-managed devices. 

  

  A few examples of when this occurs:

  • you use a laptop with the lid closed (e.g.: a docking station with attached monitor) AND your external keyboard does not have a fingerprint reader.
  • Any device with no Touch ID or Windows Hello hardware.
  • The device has Touch ID hardware, but no Touch ID fingerprints enrolled.

• Error Messages

  The error messages described in this section are organized from "most common" to "least common". Please read through the complete list.

  "Biometrics Prompt Was Canceled" Error

  If you accidentally cancel the "Touch ID or enter your password" prompt, you will see the following message in your task bar:

  

  And your web browser displays the following error:

  

  Dismiss the alert, go back to the service you wanted to access, and log in again.

  "Biometrics Prompt Was Canceled" Error (Windows Devices)

  Windows devices may see this prompt if "Automatically dismiss the lock screen if Windows recognizes your face" is disabled. Please make sure it is enabled:

  1. Open the Settings app on your device
  2. Select Accounts --> Sign-in Options 
  3. Open the Facial Recognition panel 

  4. Ensure that the option called Automatically dismiss the lock screen if Windows recognizes your face is checked.

     

  "Biometrics Prompt Timed Out" Error

  If you don't use the Touch ID or Windows Hello, or enter a password or PIN within two minutes, Beyond Identity will display this "timed out" error in your task bar.

  

  And show an error in your browser:

  

  Dismiss the Beyond Identity alert, go back to the service you wanted to access, and log in again.

  "Authentication Error"

  If Beyond Identity displays an authentication error, and you are a staff or faculty member, use a different browser to log in to the service you are trying to access. 

  If all of your browsers are set to use passkeys, then open one of them in "incognito" or "private" mode to access the system with your NetID, password, and Duo login.

  This problem should be temporary, but if it persists please contact the IT Service Desk to report it.

  Access Policy Violation Error

  Safari has a built-in privacy feature that allows individuals to block IP address tracking. This conflicts with a security checks that Secure Connect has in place. Beyond Identity will try to match Safari's IP address with the IP address that Beyond Identity sees on your internet connection. Both numbers should match in a legitimate login request.

  If Beyond Identity sees your IP address, but Safari shows a blank IP address, then Secure Connect assumes that a malicious third party is trying to access your account and will not allow you to log in.

  You can either use a different browser, or uncheck "Hide IP address from trackers" in Safari's preferences. To do this:

  • Under the Safari menu click Settings.
  • Click Privacy.
  • Uncheck Hide IP address from trackers. 

  

  Invalid Nonce Error

  Every once in a while when you try to log in with your passkey, you'll see an Invalid Nonce error. This happens due to a millisecond difference with your computer clock that automatically resolves itself. When you attempt to access the site again, your passkey should work properly.

  Stale Request Error

  When you attempt to log in you may see a CUWebLogin message saying "Stale Request."

  

  This usually happens when your login does not complete within a two-minute timeframe.

  Log in to your application from the beginning using your bookmark or by retyping the URL in the address bar. If this message persists, contact the IT Service Desk.

• Biometrics Problems

  Problems Setting Up Biometrics

  Please refer to the information on Set Up Biometrics on Your Device for steps, suggestions, links, and biometric-specific troubleshooting.

  I had to reset my Windows Hello PIN and Secure Connect doesn't work

  If you reset a forgotten PIN on a Windows device, this will delete all registered biometrics on that device. You do need to set up your biometrics again. However, you do not need to adjust anything with your passkey enrollment.

  I had to reset my password and Secure Connect doesn't work (macOS)

  A password reset on a macOS device changes the account password without requiring the old password. This can cause the Secure Connect authentication process to break. Follow the steps on this page to fix your passkey on the affected device.

  "Biometrics Prompt Was Canceled"

  If you accidentally cancel the "Touch ID or enter your password" prompt, you will see the following message in your task bar:

  

  And your web browser displays the following error:

  

  Dismiss the alert, go back to the service you wanted to access, and log in again.

  "Biometrics Prompt Was Canceled" (Windows)

  Windows devices may see this prompt if "Automatically dismiss the lock screen if Windows recognizes your face" is disabled. Please make sure it is enabled:

  • Open the Settings app on your device
  • Select Accounts --> Sign-in Options 
  • Open the Facial Recognition panel 

  • Ensure that the option called Automatically dismiss the lock screen if Windows recognizes your face is checked.

    

  "Biometrics Prompt Timed Out"

  If you don't use the Touch ID or Windows Hello, or enter a password or PIN within two minutes, Beyond Identity will display this "timed out" error in your task bar.

  

  And show an error in your browser:

  

  Dismiss the Beyond Identity alert, go back to the service you wanted to access, and log in again.

None of These Apply

If your problem persists, please contact the IT Service Desk for help.