Introduction

Note

FIDO Pre-reg with Microsoft is currently available in Early Access (EA).

YubiKey as a Service – Enrollment provides different options for organizations to pre-enroll credentials on a YubiKey, allowing their end users to instantly start using their key to authenticate with their identity providers, without first having to register the key.

Credential programming requests for hardware and software are initiated through FIDO Pre-reg API integrations with a customers IT environment. A request is either fulfilled by Yubico, or fulfilled on-site by a trusted agent, such as a customer’s IT administrator.

Pre-enrollment Options

The following pre-enrollment options are available:

• FIDO Pre-reg integration: With this option, the keys are factory-programmed by Yubico and shipped globally, from Yubico facilities directly to the end user. The service is available through API integrations with IdPs (identity providers).

  Yubico provides integrations with the following IdPs:

  • Microsoft Entra ID, FIDO Pre-reg with Microsoft Integration Guide (this guide).
  • PingOne (PingID/AIC), see FIDO Pre-reg with PingOne Integration Guide.
  • Okta, see FIDO Pre-reg with Okta Integration Guide.

• Enroll app (Limited Early Access): This option lets a trusted agent, such as an IT administrator, request credentials registered with the organization’s IdP, and pre-program these credentials onto a YubiKey on-site, using a mobile app. The key is then provided to the end user. See Enroll App.

• YubiEnroll CLI tool: Using this option, an IT administrator with access to the organization’s IdP, can pre-program credentials onto a YubiKey on-site, on behalf of an end user. The key is then provided to the end user. See YubiEnroll User Guide.