We all know the problem well enough: using passwords is tedious and insecure. With Passkey, however, an alternative has been created with which Internet users can not only log in more easily, but also more securely. Switch is therefore extremely pleased to announce the immediate support of Passkey in Switch edu-ID.
Passkeys are a new secure login standard developed by the FIDO Alliance and the World Wide Web Consortium. With a Passkey, you can securely log in to edu-ID without having to enter a password. To unlock your Passkeys you can use the same biometric data or device password that you use to unlock your device. Passkeys are unique to you and are tied to a website, making them resistant to phishing and hacking attempts.
The best thing about Passkeys: If you have an up-to-date device (up-to-date computer, operating system, browser) you can use Passkeys right away. You don’t need to install any special apps, extensions or plugins.
To set up a Passkey for the edu-ID login, go to https://eduid.ch/account/security and configure Multi-factor Authentication. The wizard will then guide you through the setup.
If you want to learn more about passkeys:
Gut
Thank’s
You talk about “logging in more easily,” but with your implementation, it’s actually more complicated than before. I have to fill my e-mail address, click Continue, click Use a passkey, then click the passkey in the list my password manager presents to me. Not an improvement. And it’s not a criticism of passkeys, but of your rushed implementation.
Thanks for your feedback. Depending on your local setup the use of Passkeys can indeed require additional steps. In our case for example the password manager does not ask to select a passkey but chooses it automatically. Also, we have started testing the username less login, where for users with a Passkey only a click on the login button may be needed.
The reason why one currently has to enter the e-mail address is because the login system first has to check which login options (mostly the second factors) are available for the user.
We have worked on Passkeys for months, so its introduction certainly not rushed 🙂 We also want to gain more experience with this technology.
It is rushed!
Please let us know what you consider “rushed” and what we should improve in your opinion. We ourselves use Passkey daily to access many services, which works very well. Then again, a lot of the ease-of-use of Passkeys depends on the local setup (browser, password manager, os support for hardware passkey, etc.), on which our influence is limited.
I do have a physical security key and needing to enter the username is a nuisance for me as well.
(Steps needed for eduId: unlock password manager, let password manager enter username, click use passkey, enter pin for security key, touch security key)
It would really be nice to get rid of the first two steps.
Nevertheless: Thanks for enabling passkeys – it’s definitively a step in the right direction.
This 2 factor authentication is just horrible. If for some reason i don’t have my mobile I just cannot work because it send the password on mobile. also if my internet is slow then i have to connect again and again and each time I have to check code from my mobile. I would be really glad if you remove this system or add an option to send code to email. Thanks!
We are sorry to hear that you consider the 2-factor authentication cumbersome. Additional security steps are often not improving the ease-of-use…
When 2-factor authentication is needed this is because the service one is accessing requires it or the organisation one is affiliated requires it or because the user enabled the 2-factor authentication to be used for accessing all services.
To make login for you easier and independent from the mobile connection, we recommend to enable the App codes. They are more secure, more reliable and often easier to use (especially in combination with a password manager). Also Passkey is often a lot easier to use than SMS codes and App codes. Also Passkeys are more secure.
Kindly put the passkey page somewhere else or make it possible to close it. I have a new Tolino and cannot get on my ebookplus library account because after the first step of signing in the passkey page gets in the way
We have heard of a few cases of Tolino users that have problems logging in. However, looking at the reviews for the latest Tolino 5 series it seems that Tolino’s web browser has many problems in general. So, we hope that the company behind Tolino fixes some of these issues in next release.
How can I set up passkey on my mobile?
NB I have an Android phone and don’t want to use any Google services.
Passkeys can be activated in the edu-ID account on https://eduid.ch/account/security
No Google services are required to enable Passkeys. There are many options to enable Passkeys including using an external FIDO2 device to store Passkeys on (in which case not even Google would have access to the Passkeys). For edu-ID is only important that the Passkey device (or software) verifies the user, i.e. biometric (fingerprint, Face-ID, etc.) or a Pin. Devices where the user just has to press a button to authenticate are not sufficient.
I hate it when services force users to add phone numbers, extra apps and whatnot to make something work. I have over 1tb of data in Switchdrive that I will have to move somewhere else. I do not want mfa to be forced upon me.
When MFA is enforced this is either because the service one accesses with an edu-ID account requires it or because the organisation one is affiliated with enforces MFA for all users. In the case of Switch Drive it were the colleagues operating Switch drive deciding to use MFA for login. Their decision was also influenced by an increasing number of Swiss universities that mandate MFA for accessing all services for security reasons.
One cannot deny that MFA makes login more secure. The downside is of course the sometimes more complicated login procedure. However, for edu-ID the MFA session can be remembered for up to 30 days so that entering MFA credentials is needed only every few weeks.
This is ridiculous. In terms of security, who on earth would want to hack my uni log-in, and in terms of making everything faster; it’s so unnecessarily complicated + totally absurd that we’re having to connect our phone-numbers/fingerprints with our accounts.
Your link “Passkey implementation in edu-ID” states “with the exception of the Linux platform”.
How smart is it for universities to use a method that excludes the one platform that is most useful for science and research?
Thanks for your comment. Passkeys is a relatively new standard. It requires support in the OS, web browsers, hardware keys and in some cases at other components like password managers. When this article was written, Passkeys on Linux was not everywhere supported yet. Not because of how Switch edu-ID implemented Passkeys but because in some of the mentioned components support was not just implemented yet in one of the above-mentioned Linux components. In the mean time, things have improved fortunately and for most popular Linux distributions/browsers one can use Passkeys without problems.
Passkeys wären eigentlich eine sehr gute Sache, sind aber bei der Switch verbesserungsfähig umgesetzt. Zum einten ist es mühsam und nervig, zuerst seine Emailadresse einzugeben, nur um nachher den Passkey als Anmeldeoption auswählen zu können. Eine Emailadresse ist fest in den Passkey integriert. Es gibt keine offensichtliche Notwendigkeit, vorher noch die Emailadresse abzufragen. GitHub oder auch Microsoft beweisen, dass es auch anders möglich ist. Unter GitHub kann ich mich unterhalb der Nutzername/Passwort-Felder auf der Loginpage sehr einfach über “Continue with a Passkey” anmelden. Desweiteren ist es auch fraglich, ob Passkeys in der jetzigen Implementierungsweise tatsächlich so einen guten Schutz versprechen. Angenommen, dass ich eine Phishingemail der Switch erhalten würde, welche mich auffordert mein Nutzername und Passwort zu bestätigen. Ein Angreifer hätte immer noch die Möglichkeit, meinen SMS- oder TOTP-Code abzufragen. Wenn ich diesen Code eingeben würde, wäre ich somit fällig und ein Angreifer könnte meinen Account übernehmen (der Schutz, der ein Passkey versprechen würde ist somit dahin). Für Switch ist es hierbei zwingend erforderlich, dass ich eine Telefonnummer hinterlege :-). Microsoft gibt mir die zumindest die Möglichkeit, dass ich die Nutzername/Passwort-Kombination sowie die restliche MFA deaktivieren kann und ich mich nur noch mittels eines Passkeys einloggen kann. Dies wäre wesentlich sicherer, da es dann keine Schlupflöcher mehr gäbe.
Danke für die Rückmeldung. Es ist nicht mit allen Webbrowsern nötig zuerst seine e-Mail Adresse einzugeben. In Brave (und einigen anderen Webbrowsern/Passwort Managern) kann man, sofern man einen Passkey aktiviert hat für edu-ID, direkt ins Feld mit der E-Mailadresse klicken und dann seinen Passkey auswählen. Der Login mit Passkeys findet dann automatisch statt. So ist ein edu-ID Login mit einem einzigen Klick möglich, ohne dass man etwas eingeben muss. Das funktioniert allerdings (noch) nicht mit allen Webbrowsern bzw. Passwort Managern.
Ja, es stimmt, dass aktuell mit App Codes (TOTP) oder SMS parallele Authentisierungsmethoden existieren, welche nicht Phishingsicher sind und welche den Schutz von Passkeys reduzieren, wenn sie aktiviert sind.
Dass wir Passkeys irgendwann als einzige Authentisierungsmethode anbieten und SMS/TOTP als zweite Faktoren abschalten, haben wir im Hinterkopf. Da die Supportfälle für das Zurücksetzen von MFA und (zunehmend) Passkey einen Grossteil des Supportaufwandes ausmachen, scheuen wir allerdings aktuell davor zurück diese Option einzuführen ohne den Reset Prozess angepasst zu haben. Aber ist gut möglich, dass wir Passkey als einzige Loginmethode irgendwann anbieten und dann SMS/TOTP ausschliesslich fürs Zurücksetzen noch verwendet werden kann. Geplant ist das aktuell allerdings noch nicht, aber werden wir gerne im Team demnächst diskutieren.