A One-Step Solution for Logging into Duke Websites

A new technology solution from the Office of Information Technology (OIT) puts staff, faculty and students one step closer to what could be a passwordless future for securely and easily logging in to Duke sites.

“Duke Unlock,” a pilot program on eligible devices, bypasses the Duo multi-factor authentication and need to type in NetID passwords when logging into Duke’s services. 

Duke Unlock is a supplement to passwordless authentication, which has become the standard for security. Passwordless authentication allows you to authenticate to your device through one-touch, as opposed to authenticating to services with passwords. 

Instead of inputting your NetID and password or using Duo multi-factor authentication, Duke Unlock bypasses both to log in. The service uses biometric data or a secure PIN, security features on devices unique to each person, to authenticate login securely. Once Duke Unlock is registered on a device, the NetID login page will have a special link to authenticate passwordless login with a simple click and verification.

“The genesis for Duke Unlock is that we did a huge investigation between our security offices to come up with a password standard that would be realistic to ask people to comply to and would keep Duke safe,” said Mary McKee, director of identity management and security services at Duke, which is within Duke OIT. “We determined that there is no such password standard. Basically, anything that we could ask people to do that we could expect them reasonably to do is not enough.”

Simply put, human-generated passwords are less secure. McKee noted that people are often predictable about setting up passwords, especially with the common placement of required special characters, like question marks or exclamation points, at the beginning or end of the password.

The increased availability of graphics processing units (GPUs) has also helped hackers and bad actors compromise passwords much faster and with less cost and effort than in the past. Passwords that would have been considered difficult to crack with central processing units (CPUs) are much more effectively compromised with GPUs. In addition, a Google survey in 2019 found that more than 65 percent of people reuse passwords across multiple or all sites, making all logins, and not just one, vulnerable to attack.

Given the changing landscape of password security, Duke Unlock, a pilot program since 2018, is a solution that helps users securely and easily log into Duke sites in one simple step. Thought of by IT security office senior manager Nick Tripp and created by Duke identity management architect Shilen Patel, the program streamlines Duo multi-factor authentication, or more than one method to verify login, providing an extra layer of security and making logging in more convenient.

Duke Unlock, now used by about 5,000 Duke users, deploys multi-factor authentication through security features on personal devices, like a PIN, face ID, gesture or fingerprint, which are unique to each person, to authenticate a device in one simple step. Any biometric data used to log in through Duke Unlock, like a fingerprint, does not reach Duke, nor is it collected.

Beverly Day, an IT business analyst in Alumni Engagement and Development, likes the simplicity of Duke Unlock. She signed up last year and uses a fingerprint dongle connected to her laptop to facilitate log in.

“It saves you some time with not having to have a device, whether it be mobile, whether it be calling your desk phone,” said Day, comparing the process of Duke Unlock to Duo. “If you’re certainly working remote, you don’t have your office desk phone nearby for it to call. So it’s handy because it’s right there on your computer.”

For now, Duke Unlock is supported by iOS, MacBooks with Touch ID or Face ID enabled, or Windows devices with Windows Hello enabled. Duke Unlock is also supported on Android. It can be set up in a matter of minutes on newer devices that have been previously registered with Duke, offering a quick and easy way to make logging in easier, while prioritizing safety and security online.

“This is a really exciting thing that Duke is doing, and I think that it's something that's going to have a bigger impact,” McKee said. “We get a lot of feedback about how people feel about multi-factor and we always have to make hard decisions about what kind of impositions we’re going to put on people in the name of security. For once, we have an opportunity to put it in the user’s hands and say, ‘You know what, you have a device that is just as good as what we would install on your phone,’ so use it.”

For more information and to register for Duke Unlock, visit unlock.duke.edu.

Watch the following video to learn how it works.