About Security Keys
A security key is a device that often looks like a USB drive that’s used with multi-factor authentication (MFA). MFA means that you use more than one method of authentication to gain access to a resource like your JumpCloud User Portal. When you log in to your JumpCloud User Portal, you have to provide your username, password, and your security key to gain access.
You may already be using a security key with Verification Code (TOTP) MFA. A security key used with Verification Code (TOTP) MFA is different from the security key mentioned in this article and won’t work for the processes described below.
Setting Up a Security Key for My JumpCloud User Account
Your IT Admin Registers Security Keys for You
Your IT admin may register security keys for you. In this case, you aren’t required to do any additional setup.
You’re Registering a Security Key
Alternatively, your IT admin may have you register a security key for your user account.
Setting Up Security Keys
- Your IT admin has to enable security key self-registration. If your IT admin doesn’t enable self-registration, you don’t see the option to set up a security key.
- You need to have a security key with you to successfully register a security key with JumpCloud.
Supported Security Keys
- If you’re using a Chrome browser and a Mac that supports Apple Touch ID, you have the option to insert a physical security key or use Touch ID as a security key. Only Chrome supports a Touch ID security key, so a Touch ID security key doesn’t work when you log in to the User Portal using a non-supported web browser.
- If you’re using a Lenovo Thinkpad Carbon running Windows 10, you can use the fingerprint scanner as a security key. Fingerprint scanners are supported by Chrome, Firefox, and Edge.
- You can try using Bluetooth Low Energy security keys, but JumpCloud doesn’t officially support them.
Using Security Keys with Other MFA Factors
- You’ll continue to use the other MFA factors your IT admin has enabled for you, so hang on to the tools you use for Verification Code (TOTP) MFA and Duo MFA.
To register a security key for your user account:
- Log in to your User Portal: https://console.jumpcloud.com/login
- You see a Set Up Multi-Factor Authentication modal. Select WebAuthn Security Key MFA, then click continue. If Verification Code (TOTP) MFA is an option, See Registering Security Keys When TOTP MFA is Enabled.
- Enter a display name if you’d like, then click REGISTER KEY.
- Insert the security key into your computer, then follow the browser prompts.
Note: Browser prompts can differ in behavior and messaging.
- After the security key is successfully registered, add another key or click X to close the modal.
You can add security keys at any time from the SECURITY tab in the User Portal. In the Multi-factor Authentication section, click ADD KEY to register a security key.
Registering Security Keys When Verification Code (TOTP) MFA is Enabled
When Verification Code (TOTP) MFA is enabled, the way you set up a security key varies depending on the Verification Code (TOTP) MFA enrollment period stage you’re in:
- If Verification Code (TOTP) MFA is already set up on your account, you’re prompted to set up a security key when you log in to the User Portal.
- If you’re in the Verification Code (TOTP) enrollment period, you see a chooser that lets you pick which MFA solution to set up first. If you set up WebAuthn first, you need to go back and set up Verification Code (TOTP) MFA as well.
- If you don’t set up Verification Code (TOTP) MFA in the enrollment period, you get locked out of resources that are protected by Verification Code (TOTP) MFA. You need to contact your IT admin to reset your enrollment period. Then you can set up a Verification Code (TOTP) MFA and a security key.
See Using TOTP MFA with Your User Account for more information about Verification Code (TOTP) MFA.
Finding Your Security Keys
To find your security keys, log in to your User Portal, then go to the SECURITY tab. Here you can find your:
- Security key status
- Security key credential ID
- Display label
About the Security Key Status
You see one of the following statuses if your IT admin has allowed you to use security keys:
- Active keys – This means you have a registered security key.
- No Security keys – This means you don’t have any registered security keys.
About the Security Key Credential ID
The Credential ID is associated with your security key. It’s what the security key uses to prove who you are each time you use the security key to log in to the User Portal. You can’t edit the Credential ID.
About the Display Label
You can give a security key a display label when you register your security key. If you have multiple security keys, consider using the display label to help differentiate your security keys. If you need to change a display label you can click the pencil icon to edit it.
If your admin registers your security key for you, you can’t edit the display label.
Logging in to Your JumpCloud User Portal with a Security Key
If your IT admin requires that you use a security key for MFA, you need to log in to your JumpCloud User Portal with a security key. When you log in to your User Portal, you can pick the MFA authentication method, and Security Key should be one of the options you see. You should also see TOTP or Duo MFA as an option. If you don’t see WebAuthn and think you should get in touch with your IT admin.
To log in to your JumpCloud User Portal with a security key:
- Go to your JumpCloud User Portal: https://console.jumpcloud.com.
- Enter your username and password, then click USER LOGIN.
- Select Security Key for the MFA factor.
- Your browser shows a set of instructions specific to your setup, which include using your security key.
- When you click NEXT, You have 60 seconds to use your security key, so make sure it’s ready to use when you start logging in to your User Portal.
- If you have a removable security key, insert it into your computer before you log in.
- Browser prompts can differ in behavior and messaging.
- WebAuthn works with Chrome, Firefox, Edge, and the newest versions of Safari.
- WebAuthn with Touch ID only works with Chrome.
- WebAuthn doesn’t work with Internet Explorer or Safari 12.
- Browsers don’t support all security keys. If you experience problems logging in with a security key, your security key may not be supported by the browser.
After you successfully authenticate, you’re logged in to your JumpCloud User Portal.
Logging in to SSO Applications with Your Security Key
When you have registered a security key and you’re required to use it for MFA, you can authenticate to your Single Sign-On (SSO) applications using your security key. You have two ways to access your applications:
Access an SSO application by logging into your JumpCloud User Portal
- Follow the steps listed in Logging into Your JumpCloud User Portal.
- Go to the APPLICATIONS tab in the User Portal.
- To start using an application, select the one you want to use.
Access an SSO application by logging in from the application
- Not all SSO applications let you log in from the application. In this case, you have to access the application by logging in to the JumpCloud User Portal.
- To log in to an application with a security key, make sure you use a supported web browser.
- On Windows systems, some applications initiate SSO using a version of IE 11. WebAuthn MFA isn’t supported by IE, including IE 11. In this case, you can use an alternative MFA factor like Verification Code (TOTP) MFA or Duo MFA.
How to log in:
- Go to the application login page.
- Generally, there is either a special link or an adaptive username field that detects you’re authenticating through SSO. This varies by application.
- You’re redirected to JumpCloud to enter your JumpCloud credentials and use your security key for MFA authentication.
- After you’re logged in successfully, you’re redirected back to the application, and you’re automatically logged in.
Resetting a Password from the User Portal
When you use a security key for MFA, you need to use the security key when you change your password from the User Portal.
To reset your JumpCloud user password from the User Portal:
- Go to the User Portal: https://console.jumpcloud.com/login.
- Click the Reset User Password link.
- Enter your user account email address, then click Send Reset Request.
- Open the reset request that’s sent to your email.
- Follow the prompts to reset your password, and use your security key for MFA authentication.
Note: When you change your password, you have five minutes to click NEXT and tap the security key before the token expires.
What happens if your security key fails?
If your security key fails, change the MFA factor to authenticate to your user portal. If you continue to experience problems, contact your IT admin.
Possible Authentication Errors
You may encounter errors when logging into your User Portal with your security key for the following reasons:
- If you experience a connection issue.
- If you have the wrong security key.
- If your admins have deleted the credential associated with the security key.
- If your browser times out.
- If your browser doesn’t support your security key.
- If you use an unsupported browser.
If you lose your security key or your security key stops working, you can delete it and register a new one.
To delete a security key:
- Log in to the User Portal: https://console.jumpcloud.com/login.
- Go to Security.
- Identify the security key you want to delete, then click the trashcan icon next to it.
- In the Delete Security Key modal, click confirm.
To register a new security key, see You’re Registering a Security Key.