Skip to content Skip to site navigation

Cardinal Key FAQs

Improving the Cardinal Key Experience

You shared your feedback with us, and we've heard you. The result: a substantially improved Cardinal Key user experience is on the way. 

Cardinal Key Frequently Asked Questions

Self Help for the two most common Cardinal Key errors, see our Cardinal Key Known Issues page known-issues.

Learn more about Cardinal Key by visiting cardinalkey.stanford.edu

Q. How does Cardinal Key protect my computer?
A. Cardinal Key ensures that devices meet our MinSec requirements (per MyDevices) regardless of location.
Q. Why does Safari always prompt me to select which Cardinal Key to use when I authenticate to a Stanford website?
A. You can eliminate the prompt by associating an "identity preference" with the certificate in the Keychain Access app.
  1. Open the Keychain Access app by navigating to Applications  > Utilities > Keychain Access.app.
  2. In the Keychains section, click login and then in the Category section click My Certificates.
  3. If there's more than one Cardinal Key, you might want to delete older ones before proceeding. This isn't necessary but can reduce confusion and clutter.
  4. Right-click the Cardinal Key certificate you want Safari to use and then click New Identity Preference.
  5. In the New Identity Preference Location or Email Address field, enter https://login.stanford.edu/ and click Add.
Q. Why does my Cardinal Key stop working after two days?
A. Devices must be compliant in MyDevices in order to use the Cardinal Key service. This rule applies to all users, regardless of affiliation. There is a two-day grace period after the initial installation of a Cardinal Key during which it may be used on a non-compliant device, or on a device whose compliance status is unknown. Once the grace period expires, the Cardinal Key will become unusable until the compliance problem is addressed.
Q. How does Cardinal Key protect against phishing?
A. Using Cardinal Key means no longer being prompted for a SUNet ID and password. If you DO encounter a Stanford-looking login page asking for a username and password while using Cardinal Key, you should be suspicious of a phishing attempt.
Q. I have Cardinal Key installed on my device. Why am I still being prompted for two-factor authentication?

A. Cardinal Key replaces the need to provide your SUNet ID and password. Depending on the system, the frequency may vary, but you will still need to two-factor in. If you check the Remember me for 90 days box on the two-step authentication login screen, you will reduce the number of two-step authentication prompts that you receive in that web browser for the next 90 days.

Q. Which Stanford sites require me to log in with a Cardinal Key?
A. The campus-wide Cardinal Key rollout is to enforce the use of Cardinal Key when logging into webmail.stanford.edu, axess.stanford.edu, and Google Docs (this would include *.google.com).
Q. Why can’t I join the eduroam network with my Cardinal Key?

A. You must use a Cardinal Key installed after January 2021 in order to join the eduroam network. You can use the Cardinal Key installer (ckinstall.stanford.edu) to install a new Cardinal Key.

Q. Why is my Cardinal Key not working after clearing my cookies and cache?

A. If you clear your cookies and cache, you will need to re-enable the Cardinal Key. You can do so by going to https://login.stanford.edu/cookie/x509.

Q. My Cardinal Key stopped working. I checked https://login.stanford.edu/cookie/x509 and it is enabled. What do I do?

A. Check mydevices.stanford.edu to confirm that your device shows as compliant. If it is not compliant, please submit a Help request to your local IT support to let them know.

Q. Cardinal Key works fine on all my browsers, but I cannot log in to VPN with it. What should I do? 

A. When logging into the VPN, please make sure you are selecting the Cardinal Key instead of another certificate. Learn more:

Q. I am able to login to VPN with Cardinal Key. Why am I still being prompted to enter my SUNet ID and password when I go to Stanford websites?

A. Check that the Cardinal Key is enabled in your browser(s) by going to https://login.stanford.edu/cookie/x509

Q. Why does my Cardinal Key work in Firefox, but not always in Chrome?

A. In your Chrome browser, clear the IDP cookie by going to https://login.stanford.edu/cookie/idp and try accessing the site you need to login to.

Q. Why does my Cardinal Key work in Chrome but not Firefox?

A. Make sure you have the correct settings set via the instructions found under "How to enable Cardinal Key for macOS on Firefox Version 75+" at: https://uit.stanford.edu/service/cardinalkey/install_windows or https://uit.stanford.edu/service/cardinalkey/install_mac.

Q. Can I install Cardinal Key on a personal device?

A. Yes, you can install Cardinal Key on a personal device. In order to use the Cardinal Key past the initial 48 hour grace period, that device needs to be compliant in MyDevices.

Q. Can I store High Risk Data in Google Drive using Cardinal Key?

A. Yes, follow the instruction on this page to learn more.

Q. Can I install Cardinal Key on a shared device?

A. Cardinal Key does not work well on a shared workstation. Depending on the scenario you are in, you can request an exemption.

Q. Which Stanford sites can I log in with a Cardinal Key?

A. Any Stanford site that supports SAML can be set up by the administrator to recognize the Cardinal Key. Please submit a Help request to the Information Security Office for more information.

 

Last modified October 15, 2021