Body
Cornell is adopting Secure Connect passkeys (biometrics) as a safer alternative to passwords. Instead of entering your NetID and two-step authentication, you can log in using fingerprint or facial recognition.
This helps reduce the risk of someone stealing data or changing your personal information on Cornell’s systems. Passkeys and Cybersecurity | IT@Cornell
Getting Started with Biometric Login
To get started, Windows Hello and Beyond Identity will need to be configured using the steps outlined below.
- Windows Hello: A built-in feature that allows staff to sign in to their Windows devices using facial recognition, fingerprints, or a PIN.
- Beyond Identity: The software app used by Cornell's Secure Connect to enable staff to log into Cornell sites, such as Workday.
Step 1: Set up biometrics within Windows Hello
- Press Start key on keyboard, or click on Start icon in lower left corner of Windows.
- Type in Sign
- In search results, click on 'Sign-In Options' (system settings)
- Under Ways to sign in, Windows will display your available hardware options under 'Facial Recognition' and 'Fingerprint recognition'.*
- Click the option you would like to set up, if available, and click on 'Set up' button.
- In Windows Hello setup window, click 'Get Started' and follow on-screen prompts to add biometrics.
- Fingerprint recognition: The fingerprint sensor is built into the laptop's power button (for any laptop bought after April 2023).
- For the fingerprint recognition setup, pick the finger you would like to use for authentication. Follow the on-screen prompts that will guide you through gently touching and lifting up your finger repeatedly on the fingerprint sensor. Windows will confirm when you have done this enough times that the finger is registered. Once complete, you have the option to set up an additional finger.
- If built-in fingerprint reader, do NOT press down on power button.
- Facial recognition: If you have an IR webcam, it is highly recommended that you register this as an additional option. It tends to be less problematic than fingerprint login.
- If you have more than one IR webcam (laptop and monitor), select your preferred Hello camera in the drop-down menu.
- You will be prompted to set up a pin when setting up biometrics for the first time on a new device.
Note: If you forget your pin later, you will need to remove pin and re-register your biometrics.
- Enter your Cornell NetID password to authenticate and click OK.
- Type in your desired pin.
- Click the checkbox if you would like to use a mix of numbers, letter and symbols.
- Length must be at least 6 characters.
- OPTIONAL - Return to step 4 to add in the other available biometrics option (an additional fingerprint).
- Sign out or restart your computer to test signing into Windows with biometrics.
*For staff with no available biometric options available:
If both facial recognition and fingerprint show "This option is currently unavailable, your laptop and connected equipment do not have this capability. External USB fingerprint readers are available for around $25-$30.
If you have a 24" monitor with a built-in webcam, and Windows shows no available option for facial recognition setup, please contact IT support at https://westernhelpdesk.cce.cornell.edu/. Driver updates may be need to be installed before it will function.
Step 2: Verify Beyond Identity app installed on computer
- Press Start key on keyboard or click on Start icon in lower left corner of Windows.
- Type in Beyond
- In search results, click on 'Beyond Identity' app
It may take a minute to load the app the first time. Be patient.
- At the Welcome screen, click 'Next'
- At the Set up your devices screen, click 'Enter setup code'
- STOP when you get to window where 9-digit passcode is needed and proceed to next steps below.
Note: If Beyond Identity is not installed, it can be downloaded from https://app.byndid.com/downloads.
Step 3: Go to Cornell's Beyond Identity website portal and register passkey
- Open the Beyond Identity Self-Service Portal in your browser.
Full URL is: user.byndid.com/auth-user/?org_id=cornell-prod
- Log in with your Cornell NetID and password (authenticate with Two-Step Login if prompted).
- Click the Register New Passkey button.
You will see "Registering your passkey. Do not close this tab."
- If another device's passkey is already registered, you will NOT see 'Register New Passkey' option.
You must use one of the already registered devices in the list to register a new device. OR delete all devices from the self-service portal.
- Open Beyond Identity on already registered device and click on Set up other devices
- Enter hello PIN to verify
- Enter 9 digit code on screen onto new device
- Your browser may ask if you wish to allow Beyond Identity to be opened. Select always allow and open the application. This is required for the passkey to work correctly. (Your prompt may look slightly different.)
Step 4: Verify passkey enrollment in Beyond Identity app
If passkey enrollment is successful, the Beyond Identity app will show your newly created passkey.
- If app is no longer open, go through steps in Step 2 of this article to re-open Beyond Identity app in Windows.
- Verify a passkey is registered (see screenshot example above)
- Close the Beyond Identity window.
Step 5: Set up your browser to use Secure Connect
- Open browser and navigate to Workday or any other site that requires NetID login.
- At the CUWebLogin page, click on the new option "Log in with Passkey"
- NOTE: If you do NOT have biometrics built into your laptop, and your only registered options are using external monitor or fingerprint reader:
Do NOT select the checkbox to "Always log in with Passkey Automatically".
- Page will redirect to Beyond Identity's authentication site (https://app.byndid.com/) and prompt for biometrics login.
Step 6: Add Windows Hello as two-step authentication option
This step is strongly recommended so that you have a backup two-step authentication option registered with Cornell. It's primary use will be if and when you need to register a new device, Windows Hello will allow you to authenticate to register that new device. More information about Cornell two-step: https://it.cornell.edu/twostep/get-started-two-step-login-quick-guide
- Log into https://twostep.netid.cornell.edu/ on your CCE computer.
- Click on Manage Devices
- Go through Cornell log in steps
- Click on the “Add a device” box
- Click on the “Windows Hello” option and follow instructions for setup.
Compatible Biometric Hardware
| Device Type |
Feature |
Notes |
| Dell Laptop |
Facial Recognition |
Any CCE laptop purchased 2025 or after has built-in facial recognition on webcam. |
| Dell Laptop |
Fingerprint Reader |
Any CCE laptop purchased after July of 2023 has a Dell built-in fingerprint reader. |
| Dell Web Conferencing Monitor |
Facial Recognition |
Any Dell web conferencing monitor bought after 2018 has built-in facial recognition webcam.
Note: If not recognized by Windows Hello, send in a helpdesk ticket for needed driver updates.
|
| External USB |
Fingerprint Reader |
Associations can purchase external fingerprint readers.
|
Adding and Removing Devices
NOTE: Passkeys are device-specific. A passkey registered on one device cannot be used to log into another device. A passkey works only on the device where it was created. Each device needs its own passkey.
Adding Additional Devices
On a device that already has a passkey:
- Open the Beyond Identity software.
- Click the "Set up other devices" button. This will prompt you for verification such as biometrics or your device password.
- You will now see a code presented that can be used to add a passkey on the target device.
On the target device that you wish to add a passkey:
- If not already done, ensure Beyond Identity software is installed.
- For non-CCE-managed devices, download and install the software directly from the vendor or via the app store on your mobile device.
- Open the Beyond Identity software.
- Follow the vendor's instructions for adding a passkey to your specific platform, or generally:
- Choose the option to add a passkey by clicking the plus sign icon.
- Enter the code provided on the original device or, for mobile devices, scan the QR code.
That's it. This device now has a passkey and can also be used to generate more passkeys.
Removing Old Devices
- Log into the Beyond Identity self-service portal.
- For each old passkey listed on this page, click the edit (pencil) icon under the Actions column.
- Choose the "Delete this passkey" option and confirm.
Transferring to a New Computer
When getting a new computer, for example as part of a regular device refresh cycle, you will want to transfer the passkey from the existing device to the new device.
Scenario 1: I have access to the existing device
- If you still have access to the existing device, or any device on which you currently have a passkey installed, follow the “Add additional devices” instructions found in this KB article.
- After the new computer is set up, follow the “Removing old devices” instructions found in this KB article to remove the old device from your account.
Scenario 2: I do not have access to the existing device
There are two options:
Option #1 - Attempt self-recovery
This option deletes all passkeys associated with your NetID and restarts enrollment from scratch.
- Follow the steps in the “Removing old devices” instructions found in this KB article to delete all listed passkeys from your account.
- Once all the passkeys are deleted you will be presented with the option to "Register new passkey". Follow the steps in the "Getting Started" instructions at the beginning of this article to start setup of the new device.
Option #2 - Contact IT support at https://westernhelpdesk.cce.cornell.edu
Known Issues
This section lists current issues that may impact functionality or user experience and could require troubleshooting or temporary workarounds.
Fingerprint Not Recognized
Internal fingerprint readers on Dell laptops work reliably with Windows but may cause issues with BeyondIdentity and CUWebLogin. BeyondIdentity tends to have more problems with fingerprint authentication than facial recognition.
Suggested Actions:
Laptop Lid Closed Error
Biometric login to CUWebLogin fails when the laptop lid is closed, even if external webcams and fingerprint readers are connected. The BeyondIdentity app displays an error.
Workaround: Keep the laptop lid slightly open.
Biometrics Not Working - No Password Option on Cornell Site
If you select “Always Log in with Passkey Automatically” on the CUWebLogin page, the password login option will be removed. The site will automatically redirect to Secure Connect for biometric authentication.
Workaround:
If Secure Connect or biometric login fails, clear your browser cache to restore the password login option.
How to clear Edge browser cache for CUWebLogin: https://app.screencast.com/Z6RX0cgERseoz
- Within Edge, click on … in upper right corner, and select Settings
- In left menu, click on Cookies and site permissions
- OR navigate to: edge://settings/content
- Click on Manage and delete cookies and site data
- Click on See all cookies and site data
- In search field in upper right corner, type in cornell
- There may be many sites related to Cornell. Click the down arrow next to cornell.edu
- Under cornell.edu, scroll down to shibidp.cit.cornell.edu and click the Trash icon.
- Go to your Cornell site to log in with your password at the CUWebLogin page.
You will only have the option to sign with a password.
The next time you open Edge and visit a CUWebLogin page, both options should appear again: Log in with Passkey, Log in with Password
More Information: Secure Connect Help | IT@Cornell