Require phishing-resistant authentication with pre-enrolled YubiKey

Early Access release. See Enable self-service features.

Secure your authentication flows for new and existing users by requiring them to sign in with YubiKeys.

This setup automates the YubiKey shipment process by connecting your Okta and Yubico orgs. You can also connect an HRIS (Human Resource Information System) app such as ServiceNow or Workday to this automated shipment flow, if you maintain the user information there.

Pre-enrolled YubiKey

A pre-enrolled YubiKey is a WebAuthn-based physical security key that you order on behalf of the user. This key is then enrolled and shipped to the user’s address by Yubico. The shipment information is sourced from either Okta or the HRIS. Once the user receives the key, they can immediately start using it for authentication.

Phishing-resistant passwordless authenticators such as WebAuthn-based YubiKey are more secure than non-phishing-resistant authenticators such as password because they use MFA techniques that are difficult for attackers to intercept or replicate.

How it works

First, configure the FIDO2 (WebAuthn) authenticator. Then configure policies that require users to sign in using YubiKey. Then, set up an automated shipment and authenticator enrollment flow using Okta Workflows. After you complete these steps, you can order pre-enrolled YubiKeys for new and existing users.

When you add a pre-enrolled authenticator for a user, the automated workflow is triggered. It sends a shipment notification to Yubico, which sends a YubiKey to the user’s address. In Okta, the YubiKey is enrolled and activated for the user. Once the user receives the YubiKey and its PIN, they can immediately use it for signing in. Check your YubiEnterprise Delivery account for supported shipping locations and any applicable restrictions.

Requirements

  • FIDO2 (WebAuthn) authenticator in Okta
  • Okta Workflows
  • Okta Workflows template for pre-enrolled YubiKey
  • YubiEnterprise Subscription
  • YubiEnterprise Delivery
  • Product IDs, Inventory product IDs, and Customization IDs for the YubiKeys

Journey

  1. Set up FIDO2 (WebAuthn) authenticator and phishing-resistant policies: Configure the FIDO2 (WebAuthn) authenticator and policies to require users to sign in using phishing-resistant authenticators.
  2. Set up Okta Workflows for YubiKey shipment: Connect Yubico, Okta, and HRIS orgs to create an automated flow for YubiKey enrollment and shipment.
  3. Order pre-enrolled YubiKeys: Order pre-enrolled YubiKeys for new and existing users, either individually or in a batch.
  4. User experience: Understand how the users sign in with their pre-enrolled YubiKey.