Western - Set Up Secure Connect - Biometric Login

Step 1:  Set up biometrics within Windows Hello

1. Press Start key on keyboard, or click on Start icon in lower left corner of Windows.
2. Type in Sign
3. In search results, click on 'Sign-In Options' (system settings)
4. Under Ways to sign in, Windows will display your available hardware options under 'Facial Recognition' and 'Fingerprint recognition'.*
5. Click the option you would like to set up, if available, and click on 'Set up' button.
6. In Windows Hello setup window, click 'Get Started' and follow on-screen prompts to add biometrics.
   • Fingerprint recognition:  The fingerprint sensor is built into the laptop's power button (for any laptop bought after April 2023).
     • For the fingerprint recognition setup, pick the finger you would like to use for authentication.  Follow the on-screen prompts that will guide you through gently touching and lifting up your finger repeatedly on the fingerprint sensor. Windows will confirm when you have done this enough times that the finger is registered.  Once complete, you have the option to set up an additional finger.
       • If built-in fingerprint reader, do NOT press down on power button.
   1. Facial recognition: If you have an IR webcam, it is highly recommended that you register this as an additional option.  It tends to be less problematic than fingerprint login.
      • If you have more than one IR webcam (laptop and monitor), select your preferred Hello camera in the drop-down menu.

7. You will be prompted to set up a pin when setting up biometrics for the first time on a new device. 
   Note: If you forget your pin later, you will need to remove pin and re-register your biometrics.
   1. Enter your Cornell NetID password to authenticate and click OK.
   2. Type in your desired pin.
      1. Click the checkbox if you would like to use a mix of numbers, letter and symbols.
      2. Length must be at least 6 characters.
8. OPTIONAL - Return to step 4 to add in the other available biometrics option (an additional fingerprint).
9. Sign out or restart your computer to test signing into Windows with biometrics.

*For staff with no available biometric options available:

If both facial recognition and fingerprint show "This option is currently unavailable, your laptop and connected equipment do not have this capability.  External USB fingerprint readers are available for around $25-$30.

• USB A Fingerprint Readers (Amazon) 
• USB C Fingerprint Readers (Amazon) 

If you have a 24" monitor with a built-in webcam, and Windows shows no available option for facial recognition setup, please contact IT support at https://westernhelpdesk.cce.cornell.edu/.   Driver updates may be need to be installed before it will function.

Step 2: Verify Beyond Identity app installed on computer

1. Press Start key on keyboard or click on Start icon in lower left corner of Windows.
2. Type in Beyond
3. In search results, click on 'Beyond Identity' app
   It may take a minute to load the app the first time.  Be patient.
4. At the Welcome screen, click 'Next'
5. At the Set up your devices screen, click 'Enter setup code'
6.  STOP when you get to window where 9-digit passcode is needed and proceed to next steps below.

Note:  If Beyond Identity is not installed, it can be downloaded from https://app.byndid.com/downloads.

Step 3: Go to Cornell's Beyond Identity website portal and register passkey

1. Open the Beyond Identity Self-Service Portal in your browser. 
   Full URL is: user.byndid.com/auth-user/?org_id=cornell-prod 
2. Log in with your Cornell NetID and password (authenticate with Two-Step Login if prompted).
3. Click the Register New Passkey button.
   You will see "Registering your passkey. Do not close this tab."

• If another device's passkey is already registered, you will NOT see 'Register New Passkey' option. 
  You must use one of the already registered devices in the list to register a new device.  OR delete all devices from the self-service portal.
  1. Open Beyond Identity on already registered device and click on Set up other devices
  2. Enter hello PIN to verify
  3. Enter 9 digit code on screen onto new device
      
• Your browser may ask if you wish to allow Beyond Identity to be opened. Select always allow and open the application. This is required for the passkey to work correctly. (Your prompt may look slightly different.)

Step 4: Verify passkey enrollment in Beyond Identity app

If passkey enrollment is successful, the Beyond Identity app will show your newly created passkey.

1. If app is no longer open, go through steps in Step 2 of this article to re-open Beyond Identity app in Windows.
2. Verify a passkey is registered (see screenshot example above)
3. Close the Beyond Identity window.

Step 5: Set up your browser to use Secure Connect

1. Open browser and navigate to Workday or any other site that requires NetID login.
2. At the CUWebLogin page, click on the new option "Log in with Passkey"

• NOTE:  If you do NOT have biometrics built into your laptop, and your only registered options are using external monitor or fingerprint reader: 
  Do NOT select the checkbox to "Always log in with Passkey Automatically".

3. Page will redirect to Beyond Identity's authentication site (https://app.byndid.com/) and prompt for biometrics login.

Step 6: Add Windows Hello as two-step authentication option

This step is strongly recommended so that you have a backup two-step authentication option registered with Cornell.  It's primary use will be if and when you need to register a new device, Windows Hello will allow you to authenticate to register that new device.  More information about Cornell two-step:  https://it.cornell.edu/twostep/get-started-two-step-login-quick-guide

1. Log into https://twostep.netid.cornell.edu/ on your CCE computer.
2. Click on Manage Devices
3. Go through Cornell log in steps
4. Click on the “Add a device” box
5. Click on the “Windows Hello” option and follow instructions for setup.

Fingerprint Not Recognized

Internal fingerprint readers on Dell laptops work reliably with Windows but may cause issues with BeyondIdentity and CUWebLogin. BeyondIdentity tends to have more problems with fingerprint authentication than facial recognition.

Suggested Actions:

• Retry fingerprint authentication or switch to facial recognition if available.
• If fingerprint consistently fails, submit a help desk ticket: https://westernhelpdesk.cce.cornell.edu

Laptop Lid Closed Error

Biometric login to CUWebLogin fails when the laptop lid is closed, even if external webcams and fingerprint readers are connected. The BeyondIdentity app displays an error.

Workaround: Keep the laptop lid slightly open.

Biometrics Not Working - No Password Option on Cornell Site

If you select “Always Log in with Passkey Automatically” on the CUWebLogin page, the password login option will be removed. The site will automatically redirect to Secure Connect for biometric authentication.

Workaround:
If Secure Connect or biometric login fails, clear your browser cache to restore the password login option.

How to clear Edge browser cache for CUWebLogin:  https://app.screencast.com/Z6RX0cgERseoz

1. Within Edge, click on … in upper right corner, and select Settings
2. In left menu, click on Cookies and site permissions
   1. OR navigate to:  edge://settings/content
3. Click on Manage and delete cookies and site data
4. Click on See all cookies and site data
5. In search field in upper right corner, type in cornell
6. There may be many sites related to Cornell.  Click the down arrow next to cornell.edu
7. Under cornell.edu, scroll down to shibidp.cit.cornell.edu and click the Trash icon.
8. Go to your Cornell site to log in with your password at the CUWebLogin page.
   You will only have the option to sign with a password. 

The next time you open Edge and visit a CUWebLogin page, both options should appear again:  Log in with Passkey, Log in with Password