Palo Alto Unified School District and YubiKey Pilot
The Palo Alto Unified School District (PAUSD) is excited to announce that it has partnered with Yubico to enable secure access to educational and operational district resources for PAUSD’s staff and parents. This pilot program is an initiative of the National Institutes of Standards and Technology (NIST) and Yubico, which was awarded a grant to work with national organizations to increase security and privacy while maintaining simplicity in deployment.
Why is PAUSD partnering on this project?
The Palo Alto Unified School District places great value on the digital security of its students, staff, and parents/guardians. In October 2017, we began working with Yubico in a pilot project designed to increase security and privacy. Since that time, we have successfully deployed two factor authentication to a majority of our school and district staff.
While securing access using two factor authentication is mandatory for district staff, it is optional but highly encouraged for parents and guardians.
Parents and guardians may log in to their account on the ID portal using only a username and password. However, we encourage all parents and guardians to opt-in to stronger authentication to secure your access to the PAUSD online services.
What is “two-factor authentication”?
Two-factor (or second factor) authentication means that you log in to your account using a second factor — besides using a username and password, you use something you have. In this case, the something you have is a YubiKey.
How to opt-in to stronger authentication (when initializing Annual Data Update)
- Once you’ve logged into the id.pausd.org portal, navigate to Infinite Campus
- On the sidebar, select “Online Registration” to begin the ADU process
- Under the Parent menu in the Account Security section you will be asked if you’d like to opt in or opt out of stronger authentication
- If you select yes, you will be asked to select the USB port that you will use for the authentication key, either USB A or USB C
- You will receive an email verification of your opt in decision, instructions for how to register your keys, recommended browsers, and any other information to assist you with this process
- Within 5-10 days you will receive two YubiKeys in the mail
- When you receive the keys, you will log in and register your keys.
What are YubiKeys?
A YubiKey is a small hardware device that gives you two-factor authentication with a simple touch of a button. Yubikeys are crush-resistant and waterproof. While most YubiKeys can support multiple protocols, this pilot uses FIDO U2F, a technology standard co-developed by Yubico and Google. The U2F-certified YubiKey is designed to protect your security and privacy.
The YubiKey enables strong authentication across leading mobile platforms across Android, Windows 10 and iOS* smartphones and tablets.
To register your new YubiKeys
- Log into id.pausd.org
- In the top center of the page click on “Try our new look”
- Under your username menu, select profile settings
- Choose edit profile
- Under two factor authentication select enabled
- Save your progress
- Once you have enabled stronger authentication, you will go to your username menu and select manage YubiKeys
- At the bottom right of that window, select add device and follow the prompts to register one of your keys.
- Repeat step 8 (or 7 and 8) to register your second key.
- You’re done! The next time you login, after you submit your username and password, you will be asked to login using a 2nd factor, which will be either the key you’ve registered or a one time code from Google Authenticator.
*In order for the YubiKey to secure mobile apps on iOS, an organization needs to integrate with the Yubico Mobile iOS SDK. Support is currently limited at this time.
What types of YubiKeys will I receive?
You will receive two YubiKeys, one to be used as your primary YubiKey and one to be used as a backup. The type of YubiKeys you receive depends on your role in the School District: IT, technical educator, teacher, or parent/guardian. Here are images and descriptions of the YubiKeys for this project.
YubiKey 5 Series
This is the primary YubiKey for PAUSD parents and guardians who choose to opt in to a stronger authentication experience when accessing online district resources. There are two versions of this key that can be used with a USB-A or USB-C port.
This is the primary YubiKey for IT staff, technical educators, and teachers who are not using the YubiKey NEO. There are two versions of this key that can be plugged into USB-A or USB-C ports.
This is the primary YubiKey for those IT staff, technical educators, and teachers who have Android phones and have requested this device. This YubiKey does not work with iPhones.
How Do I Use My New YubiKey?
You received your YubiKey — now what? Once you have registered your key, the only thing that changes is that you need to insert the YubiKey and tap it — either the gold circle in the middle of the YubiKey, the gold contacts, or the edge of the YubiKey (if you are using the smaller device, the Nano). When you are using a computer (your laptop, a Chromebook, a desktop computer) — whether you are at school, at your office, or at home — you will log in using your username and password, and then tap the YubiKey. It’s just that simple.
Important Note: You must be using a recent version of the Chrome browser when you log in to services using the YubiKey. Once you have logged in, you can continue to use the browser you need or want to use.
You may also use the Firefox browser for login but you must first enable U2F. Instructions can be found here.
To use your YubiKey (you must have already registered the key with your account on the PAUSD portal):
- Turn on your computer.
- Launch your Chrome browser (if it is not already launched).
- Go to the ID portal page
- Type your username and click Login
- Type your password and click Login
- Click Login.
- Insert your YubiKey into a USB port.
- When prompted, tap the blinking green light on the YubiKey.
- For the larger YubiKey (keychain model), this will be the green “circle” or the “WiFi” symbol on the YubiKey.
- For the smaller YubiKey (nano), this will be a little green light on the side of the YubiKey or the gold contacts for the USB-C connector [For PAUSD staff only]
- That’s it! You are logged in to the PAUSD portal. You can now remove the YubiKey and store it.
TIP: Tap the key just slightly lighter than you would tap the home ‘button’ on your smartphone. You should see a recognition action on the screen
That’s it! If you have questions, contact Technology Services by email at email@example.com, or by phone at (650) 833-4243.
FAQs about the PAUSD pilot project
Q: When will I need to use the YubiKey to access PAUSD resources?
A: Anytime you log in to the id.pausd.org portal
Q: What happens if I forget the password to the ID portal?
A: You will need to request a password reset. To do this, from the landing page (id.pausd.org), select Need Help and then Forgot my Password and follow the prompts.
Q: I would like to opt-in in person, what do I do next?
A: Visit the PAUSD technical staff at the district office.
Q: What happens if I elect not to use the YubiKey?
A: You will still be able to access all PAUSD online resources as you have done before, with the only change being that you only need to log in once for both Schoology and Infinite Campus. The YubiKey offers a stronger and more secure authentication experience.
FAQs about the YubiKey
Q: Do I need to keep the YubiKey inserted in my computer?
A: No. Once you have logged in with your username and password, and tapped the YubiKey, you can remove the device from the USB port. You do not need to leave it inserted. In fact, you have increased security and privacy if you remove the YubiKey when you are not using it.
Q: Do I need to tap the YubiKey again when I unlock my computer?
A: No, the YubiKey does not affect the normal working functions of your computer, so if your computer is locked, you only need to do the same things to unlock as if you didn’t have a YubiKey.
Q: The first time I insert my YubiKey, nothing happens!
A: You just received your YubiKey (you were just enrolled in the pilot), and it worked when you enrolled. But when you are back in your office, classroom, or home and insert the YubiKey into a USB port in your computer, nothing happens — you don’t get that blinking light to tap.
What is likely happening is that there is a “driver installation” dialog box that appears.
You do not need to install drivers. In fact, technical services has disabled the requirement for almost everyone’s systems to go out and look for updated drivers. If you were recently added to the pilot, you might not have been part of the disabling (it’s not an issue so don’t worry!). You can manually stop it. To do this:
- Locate the Driver Software Installation dialog box. It might be hidden behind another window.
- Click the blue link for Skip obtaining driver software from Windows update.
- Click Close.
- Remove your YubiKey.
- Reinsert your YubiKey.
- Return to the portal login page (assuming that is what you were doing), enter your username and password. Your YubiKey should begin to flash as expected.
Q: How do I stop creating those strange characters when I tap my YubiKey by accident?
A: Those strange codes are actually a string that consists of the serial number of the YubiKey (the first 12 characters) as well as a one-time password.
When you keep your YubiKey inserted in the USB port (especially the YubiKey Nano, as it is intended), you may find that you can trigger the output of OTP (one time password) codes without meaning to, simply by brushing against the YubiKey. You can solve this issue using the instructions in this link.
Q: How do I disable the sound my YubiKey makes when I insert or remove it from my Windows computer?
A: That sound your computer makes when you insert your YubiKey (or remove it) can be annoying. To stop that “binging” sound on a Microsoft Windows computer:
- If you are using a YubiKey NEO on Windows, you may experience Windows playing the USB disconnect/reconnect notification sounds. This is caused by the NEO disconnecting and reconnecting the smart card so that it can switch to the OTP and FIDO modes. If you want to prevent this, you can disable the connection modes you do not use (EG: CCID) or disable the notification sound in the Windows settings.
Q: Does the YubiKey use my fingerprint (is it biometric)?
A: The YubiKey does not make use of your fingerprint.The touch of your finger provides a small electrical charge that activates the YubiKey. You are just proving that you are a real human when you touch the YubiKey, rather than a remote hacker.
Q: What happens if I lose my YubiKey?
A: That’s why you are receiving two YubiKeys — one is your primary, and one is your backup. We want to be sure you are always able to securely log in. If you lose your backup YubiKey, contact Technical Services (by email at firstname.lastname@example.org, or by phone at (650) 833-4243) for help.
It is important to know that there is no personal information stored on the YubiKey. If you lose your YubiKey, no one can identify that little device as belonging to you (unless, of course, you’ve labeled it). Even so, there won’t be a security issue because this is all about two-factor authentication — in order for a remote attacker (a hacker or any bad person) to get into your accounts or login as you, that person would also have to have your username and password plus your YubiKey.
Q: The YubiKey is awesome! Where else can I use it other than on the PAUSD.org site?
A: Great question and we are so glad you like your experience with the YubiKey! Here are all the online services where you can use the YubiKey to secure your accounts.
About the Pilot Project
Privacy protections are built into the U2F-certified YubiKey, as there is no personally identifiable information stored on the device. If you lose the YubiKey, and someone finds it, that person would still need to know your username and password to gain access to your accounts. If you lose your YubiKey, you have your backup YubiKey you can use. If you lose both YubiKeys, contact PAUSD Technology Services at email@example.com or (650) 833-4243.
Logging in to any website with just your username and password is known to be one of the least secure methods of accessing your data. Adding a second factor — two factor authentication, with something you have, like the YubiKey — increases the security of your accounts. Using a U2F-certified YubiKey is even better, because it protects against phishing attacks. Find out more about FIDO U2F here.
Yubico was founded with the intent to make the internet secure for everyone. Most of Yubico’s software applications are free and open source. One of the outcomes of this pilot is to provide an open source “identity toolkit” so that other school districts can benefit from everything we are learning and doing with all of you, the pilot participants, here at the Palo Alto Unified School District
There are several open standards such as FIDO U2F and Shibboleth used in this pilot project. FIDO U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed. Shibboleth is an open source, federated solution used to connect users to applications.