Onboard users with pre-enrolled YubiKey

Limited Early Access release

Build phishing resistance into your onboarding flow by requiring users to sign in with YubiKey on the day they join your organization. This flow is available for app access only, and your users must have US mailing addresses.

In this flow, all new users receive a YubiKey before they sign in to your org. Start by enabling the phishing-resistant FIDO2 (WebAuthn) authenticator and setting up the Okta policies that require it. Then, use an Okta Workflows template to automate the flow between Yubico and Okta. This ensures that Yubico receives a YubiKey shipment request every time you add a user to the specified group.


  • Okta Workflows
  • Okta Workflows template for Pre-enrolled YubiKey (contact Okta Support)
  • YubiEnterprise Subscription
  • YubiEnterprise Delivery
  • Custom product IDs and subscription IDs for YubiKey 5 NFC and YubiKey 5C NFC (contact YubiKey Support)


  1. Configure a phishing-resistant onboarding flow

  2. Set up YubiKey - Okta flow

  3. Onboard users