Passwordless Authentication
Passwordless Authentication
Learn more about this faster, more secure way to sign into HarvardKey, including quick-start instructions
Contents
Overview
Now that the University’s transition to Okta for identity verification is complete, we’re moving to the next phase of our efforts to protect Harvard against a nationwide rise in cyberattacks targeting higher education: requiring “passwordless” authentication for all Harvard staff.
Passwordless authentication with Okta means you verify your identity with your fingerprint, facial recognition, or device-specific PIN, keeping your HarvardKey account much more secure than using a traditional password.
To use passwordless authentication, you need to set it up on all the devices that you use to access HarvardKey-protected resources.
Didn’t I already enable passwordless when I switched to Okta?
Although many people at the University did enable passwordless authentication during the transition to Okta, it was not automatic and it requires additional steps. You can check whether you have passwordless authentication enabled on your devices at this link.
What do I need to do?
If you haven’t yet enabled passwordless authentication, or if you need to set it up on additional devices, you can get started now by following the quick-start instructions below.
HUIT will also contact all remaining staff over the next few months to make sure everyone is able to set up passwordless authentication.
Quick-start instructions
First: Start with your primary mobile device
- Open the Okta Verify app on your mobile device.
- Select your account.
- In the Account Details screen, under Security toggle on:
- Android: Screen lock confirmation or Face ID
- Apple (iOS): Face ID or Passcode Confirmation
- Verify your identity when prompted.
- The next time you sign into a HarvardKey-protected resource on this device, select Okta Verify > Use Okta FastPass to sign in with a passwordless authentication method.
Next: Set up additional devices
After you’ve set up your primary mobile device, you need to enable passwordless authentication on all other devices that you use to sign into HarvardKey.
Start with these steps:
- Make sure you have your primary mobile device with you
- Download and install the Okta Verify app on your additional device, if you haven't already
- Enable Bluetooth on both your primary device and your additional device
- On your primary mobile device, open Okta Verify, select your account, and tap Add account to another device
- Then, follow the specific steps listed below for each additional device that you have
- Turn on Touch ID & Password in your device settings.
- Click Add account to another device and keep the QR code visible.
- On your Mac, open Okta Verify from the top menu bar and click Add account, then pair using the QR code or code.
- When prompted, enable Touch ID and verify your identity.
- When signing in, select Okta Verify > Use Okta FastPass.
- Turn on Windows Hello (PIN, face, or fingerprint) in your device settings.
- On your Windows computer, open Okta Verify and click Add account, then pair your devices.
- Enable Windows Hello in Okta Verify and complete verification.
- When signing in, select Okta Verify > Use Okta FastPass.
- On the new Apple device, open Okta Verify.
- Tap + > Organization > Add account from another device, then scan the QR code.
- Enable Face ID or passcode confirmation and allow notifications.
- Sign in using Okta Verify > Use Okta FastPass.
- On the new Android device, open Okta Verify.
- Tap Add account from another device and scan the QR code.
- Enable screen lock or biometrics and allow notifications.
- Sign in using Okta Verify > Use Okta FastPass.
Learn more: What is passwordless authentication?
Traditional multifactor (or “two-step”) authentication methods such as push notifications, phone calls, or SMS messages still rely on entering a password which can be guessed, phished, or stolen via an insecure website. Passwordless authentication replaces passwords with either:
- Your fingerprint or facial recognition (also known as “biometrics”) using your device’s built-in fingerprint or face authenticators (e.g. Windows Hello, Touch ID, Face ID). Because biometrics are unique to you and stored securely on your device, they cannot be guessed or shared.
- A device-specific PIN or passcode that is encrypted and tied exclusively to your device. This PIN only grants access on the device where it was set up, so even if it’s stolen or guessed, it’s useless without physical access to your device.
In addition to significantly improving security, passwordless authentication makes signing in to HarvardKey faster and easier by verifying your identity directly on your device.
How does it work?
Passwordless login uses a secure digital credential called a passkey, which is linked to your HarvardKey account.
When you sign in, your device verifies your identity using a fingerprint, face scan, or device PIN. This biometric information stays on your device and is never shared with Harvard or Okta.
After your identity is verified, your device uses the passkey stored on it to securely confirm that you are the account owner, allowing you to sign in without entering a password.
1. Confirm it’s you
Using your device’s built-in security mechanism (e.g., Touch ID, Face ID, Windows Hello, or a device-specific PIN).
2. Your device unlocks a private key.
A unique, encrypted credential is unlocked — only accessible on your device.
3. Instantly sign in to HarvardKey.
The private key securely authenticates you without a password.
