Photo of YubiKey 4 being inserted into laptop

Insert PAUSD logo here

Children at school by Lucélia Ribeiro

Introduction

Welcome to the pilot program for secure online identity. Palo Alto Unified School District is partnering with Yubico and the federal government to bring you this pilot. Yubico was awarded a grant to increase security and privacy among K-12 students and staff, and eventually parents, at Palo Alto Unified School District. This is the start of the pilot.

What is “two factor authentication?”

Two factor authentication means that you log in using a second factor — besides using a username and password, you use something you have. In this case, the something you have is a YubiKey.

What are YubiKeys?

A YubiKey is a small hardware device that gives you that  two-factor authentication with a simple touch of a button. While it is inserted into a USB port on your computer, it is not like a USB drive (where you can copy data onto it). They are also almost crush-proof, and waterproof (ask us about SCUBA diving, snow banks, and dogs!). While most YubiKeys can support multiple protocols, this pilot uses FIDO U2F, co-developed by Yubico and Google. The U2F-certified YubiKey is completely secure and is meant to protect your security and privacy.

What types of YubiKeys will I receive?

You will receive two YubiKeys, one to be used as your primary YubiKey and one to be used as a backup. The type of YubiKeys you receive depends on your role at the School District: if you are in IT, or if you are in technical ed, a teacher, or a student. These pictures tell the story:

YubiKey 4

This YubiKey has the y shape on the gold circle. Carry this YubiKey on a keychain.

This is the primary YubiKey for IT staff, technical ed, and teachers who are not using the YubiKey NEO. This will be the primary YubiKey for students. In addition, this will be the backup YubiKey for students. Two versions, that can be plugged into USB-A or USB-C ports.

YubiKey NEO

This YubiKey has the WiFi symbol on the gold circle. Carry this YubiKey on a keychain.

This will be the primary YubiKey for those IT staff, technical ed, and teachers who have Android phones and have requested this device. This YubiKey does not work with iPhones.

YubiKey 4 Nano

This smaller YubiKey fits inside of the USB port and is almost hidden. It is just like it’s larger sibling, the YubiKey 4, but it is not not intended to be inserted and removed often. Leave this YubiKey inserted in your laptop.

This will be the backup YubiKey for some IT staff and others who have requested it. Two versions, that can be plugged into USB-A or USB-C ports.


How Do I Use My New YubiKey?

You received your YubiKey — now what? The only thing that is changing is you need to insert the YubiKey and tap it — either the gold circle in the middle of the YubiKey, or the edge of the YubiKey (if you are using the smaller device). When you are using a District computer (your laptop, a Chromebook, a desktop computer) — whether you are at school, at your office, at home — you will log in using your username and password, and then tap the YubiKey. It’s just that simple.
Important Note: You must be using a recent version of the Chrome browser when you are using the YubiKey. Once you have logged in, you can continue to use the browser you need or want to use.
To use your YubiKey

  1. Turn on your computer.
  2. Launch your Chrome browser (if it is not already launched).
  3. Go to the Palo Alto USD portal page.
  4. Insert your YubiKey into a USB port.
  5. Type your username.
  6. Type your password.
  7. Click Login.
  8. When prompted, tap the blinking green light on the YubiKey.
    • For the larger YubiKey, this will be the green “circle” or the “WiFi” symbol on the YubiKey.
    • For the smaller YubiKey, this will be a little green light on the side of the YubiKey.
  9. That’s it! You are logged in to the PAUSD portal. You can now remove the YubiKey and store it.

TIP: Be sure you “tap the button like you mean it” (as hard, or a bit harder, than pressing a key on a keyboard).

That’s it! If you have questions, contact Technology Services by email at support@pausd.org, or by phone at (650) 833-4243.


Frequently Asked Questions

Do I need to keep the YubiKey inserted in my computer?

No! Once you have logged in with your username and password, and tapped the YubiKey, you can remove the device from the USB port. You do not need to leave it inserted. In fact, you have increased security and privacy if you remove the YubiKey when you are not using it.

Do I need to tap the YubiKey again when I unlock my computer?

No, if you have locked your computer, you just need to unlock your computer using your username and password.

The first time I insert my YubiKey, nothing happens!

You just received your YubiKey (you were just enrolled in the pilot), and it worked when you enrolled. But when back to your office or classroom and inserted the YubiKey into a USB port in your computer, nothing happens — you don’t get that blinking light to tap.

What is likely happening is that there is a “driver installation” dialog box that appears. It looks like this:

You do not need to install drivers. In fact, Technical Services has disabled the requirement for almost everyone’s systems to go out and look for updated drivers. If you were recently added to the pilot, you might not have been part of the disabling (it’s not an issue so don’t worry!). You can manually stop it. To do this:

  1. Locate the Driver Software Installation dialog box. It might be hidden behind another window.
  2. Click the blue link for Skip obtaining driver software from Windows update.
  3. Click Close.
  4. Remove your YubiKey.
  5. Reinsert your YubiKey.
  6. Return to the portal login page (assuming that is what you were doing), enter your username and password. Your YubiKey should begin to flash as expected.

My YubiKey is not working, help!

Use the following steps to troubleshoot your YubiKey.

In each of these steps, insert the YubiKey into a USB Port, open a text editor (such as Notepad) and press the button on the YubiKey.

  1. Use the YubiKey in a different USB port on the same computer.
  2. Use the YubiKey in a different computer.

If your YubiKey is still not working, contact Technical Services and include the following information:

  1. The output you see on the text editor.
  2. The behavior of the green LED, both when you insert the YubiKey and when you touch the button.
  3. The operating systems that were running on your computers.

How do I stop creating those strange characters when I tap my YubiKey by accident?

Those strange codes are actually a string that consists of the serial number of the YubiKey (the first 12 characters) as well as a one-time password.

When you keep your YubiKey inserted in the USB port (expecially the YubiKey 4 Nano, as it is intended), you may find that you can trigger OTP codes without meaning to, simply by brushing against the YubiKey. You can solve this issue using the following instructions.

For Microsoft Windows users:

  1. Using the YubiKey Personalization Tool, select Settings.
  2. Under the Extended Settings section, deselect the check box for Use fast triggering only if slot 1 is programmed.

You will need to touch the YubiKey for at least a half-second to emit an OTP. For an even longer wait time, consider moving the configuration to the second slot. (See Downloads to obtain the YubiKey Personalization Tool for Windows.)

For Mac OS X users:

  • To turn off your YubiKey automatically after a period of inactivity, use the taskbar application, YubiSwitch.

How do I disable the sound my YubiKey makes when I insert or remove it from my Windows computer?

That sound your computer makes when you insert your YubiKey (or remove it) can be really annoying. To stop that “binging” sound on a Microsoft Windows 7 computer:

  1. Go to the Control Panel (Windows + X > Control Panel).
  2. Click Sounds.
  3. Select the Sounds tab.
  4. Under Program events, search for the following events:
    • Device connect
    • Device Disconnect
  5. For each event, select the event and then click the arrow for Sounds.
  6. Scroll up the list of sounds until you find (None).
  7. Change both events, and then click OK.

Does the YubiKey use my fingerprint (is it biometric)?

No. The touch of your finger provides a small electrical charge that activates the YubiKey. You are just proving that you are a real human when you touch the YubiKey (rather than a robot!).

What happens if I lose my YubiKey?

That’s why you are receiving two YubiKeys — one is your primary, and one is your backup. We want to be sure you always have access to log in. If you lose your backup YubiKey, contact Technical Services (by email at support@pausd.org, or by phone at (650) 833-4243) immediately, so you can be issued a new YubiKey!

It is important to know that there is no personal information stored on the YubiKey. If you lose your YubiKey, there is no way anyone can identify that little device as belonging to you (unless, of course, you’ve labeled it). Even so, there won’t be a security issue because this is all about two-factor authentication — in order for an attacker (a hacker or any bad person) to get into your accounts or login as you, that person would also have to have your username and password plus your YubiKey.

Where to Go if You Have Additional Questions

Contact Technology Services — by email support@pausd.org or by phone (650) 833-4243 — if you:

  • have questions about this pilot project
  • lose your YubiKey and need a replacement
  • want to provide feedback (good or bad)

About the Pilot Project

Privacy

Privacy protections are built into the U2F-certified YubiKey, as there is no personally identifiable information stored on the device. If you lose the YubiKey, and someone finds it, that person would still need to know your username and password to gain access to your accounts. If you lose your YubiKey, you have your backup YubiKey you can use. If you lose both YubiKeys, contact Technology Services at support@pausd.org or (650) 833-4243.

Security

Logging in to any website with just your username and password is known to be one of the least secure methods of accessing your data. Adding a second factor — two factor authentication, with something you have, like the YubiKey — increases the security of your accounts. Using a U2F-certified YubiKey is even better, because it protects against phishing attacks. Find out more about FIDO U2F here.

Open Source

Yubico was founded with the intent to make the internet secure for everyone. Most of Yubico’s software applications are free and open source. One of the outcomes of this pilot is to provide an open source “identity toolkit” so that other school districts can benefit from everything we are learning and doing with all of you, the pilot participants, here at the School District of Janesville!

Open Standards

There are several open standards used in this pilot project. For example, FIDO U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers, or client software needed. Shibboleth is an open source, federated solution used to connect users to applications.