Cardinal Key FAQs

Improving the Cardinal Key Experience

You shared your feedback with us, and we've heard you. The result: a substantially improved Cardinal Key user experience is on the way. 

Cardinal Key Frequently Asked Questions

Self Help for the two most common Cardinal Key errors, see our Cardinal Key Known Issues page known-issues.

Learn more about Cardinal Key by visiting cardinalkey.stanford.edu. 

Q. How does Cardinal Key protect my computer?

A. Cardinal Key ensures that devices meet our MinSec requirements (per MyDevices) regardless of location.

Q. Why does Safari always prompt me to select which Cardinal Key to use when I authenticate to a Stanford website?

A. You can eliminate the prompt by associating an "identity preference" with the certificate in the Keychain Access app.

1. Open the Keychain Access app by navigating to Applications  > Utilities > Keychain Access.app.
2. In the Keychains section, click login and then in the Category section click My Certificates.
3. If there's more than one Cardinal Key, you might want to delete older ones before proceeding. This isn't necessary but can reduce confusion and clutter.
4. Right-click the Cardinal Key certificate you want Safari to use and then click New Identity Preference.
5. In the New Identity Preference Location or Email Address field, enter https://login.stanford.edu/ and click Add.

Q. Why does my Cardinal Key stop working after two days?

A. Devices must be compliant in MyDevices in order to use the Cardinal Key service. This rule applies to all users, regardless of affiliation. There is a two-day grace period after the initial installation of a Cardinal Key during which it may be used on a non-compliant device, or on a device whose compliance status is unknown. Once the grace period expires, the Cardinal Key will become unusable until the compliance problem is addressed.

Q. How does Cardinal Key protect against phishing?

A. Using Cardinal Key means no longer being prompted for a SUNet ID and password. If you DO encounter a Stanford-looking login page asking for a username and password while using Cardinal Key, you should be suspicious of a phishing attempt.

Q. I have Cardinal Key installed on my device. Why am I still being prompted for two-factor authentication?

A. Cardinal Key replaces the need to provide your SUNet ID and password. Depending on the system, the frequency may vary, but you will still need to two-factor in. Learn more about two-step authentication. 

Q. Which Stanford sites require me to log in with a Cardinal Key?

A. The campus-wide Cardinal Key rollout is to enforce the use of Cardinal Key when logging into webmail.stanford.edu, axess.stanford.edu, and Google Docs (this would include *.google.com).

Q. Why can’t I join the eduroam network with my Cardinal Key?

A. You must use a Cardinal Key installed after January 2021 in order to join the eduroam network. You can use the Cardinal Key installer (ckinstall.stanford.edu) to install a new Cardinal Key.

Q. Cardinal Key works fine on all my browsers, but I cannot log in to VPN with it. What should I do? 

A. When logging into the VPN, please make sure you are selecting the Cardinal Key instead of another certificate. Learn more:

• ​Windows: Connect to the Stanford VPN with a Cardinal Key​
• Mac: Connect to the Stanford VPN with a Cardinal Key​

Q. Why does my Cardinal Key work in Chrome but not Firefox?

A. Make sure you have the correct settings set via the instructions found under "How to enable Cardinal Key for macOS on Firefox Version 75+" at: https://uit.stanford.edu/service/cardinalkey/install_windows or https://uit.stanford.edu/service/cardinalkey/install_mac.

Q. Why did my Cardinal Key stop working in Firefox?

A. Make sure Firefox doesn't have the following authentication decision saved:

1. Open the Firefox Preferences by navigating to Firefox> Preferences > Privacy & Security > View Certificates > Authentication Decisions.
2. In the "These certificates are used to identify you to websites" window, select the line that shows login.stanford.edu and Send no client certificate.
3. Click Delete.
4. Click OK.

Q. Can I install Cardinal Key on a personal device?

A. Yes, you can install Cardinal Key on a personal device. In order to use the Cardinal Key past the initial 48 hour grace period, that device needs to be compliant in MyDevices.

Q. Can I store High Risk Data in Google Drive using Cardinal Key?

A. Yes, follow the instruction on this page to learn more.

Q. Can I install Cardinal Key on a shared device?

A. Cardinal Key does not work well on a shared workstation. Depending on the scenario you are in, you can request an exemption.

Q. Which Stanford sites can I log in with a Cardinal Key?

A. Any Stanford site that supports SAML can be set up by the administrator to recognize the Cardinal Key. Please submit a Help request to the Information Security Office for more information.