Creating Shipment Requests

The method for creating shipment requests for pre-registered YubiKeys depends on how your Yubico FIDO Pre-reg solution is set up in your Customer Orchestration environment.

As an IT administrator, you can for example trigger a shipment request for a pre-registered YubiKey through your front-end system, for example ServiceNow. Or, you can have some other integration process in your environment trigger the shipment request.

The shipment request is received by the Yubico FIDO Connector App which manages the credential encryption, requests recipient information from the customer’s system, and creates a shipment request to the YubiEnterprise Delivery service. For more information, see Process Flow and API Reference.

Yubico receives a request for a pre-registered YubiKey. The request contains all information needed to program and ship the key. When the request is fulfilled and the credential is activated, the randomly generated PIN associated with the YubiKey is emailed to the end user.

Note

Once the credential is programmed onto the YubiKey, the challenge and credential data, including PIN, is purged from Yubico systems.

Initial Authentication

To authenticate with the identity provider, the end user presents their YubiKey and enters the provided PIN. If “Force PIN change” is set (and if supported by the platform), the end user is prompted to change the PIN when using the YubiKey for the first time, as in this example.

_images/login-pin-reset.png

If “Force PIN change” was not set, the end user will be able to log in without changing the provided PIN, when using the YubiKey for the first time.

The previous step also applies when using a YubiKey Bio (FIDO and Multi-Protocol Editions) where the end user authenticates primarily using fingerprint(s) enrolled on the key (a PIN is required as fallback also when using fingerprint authentication).

Note

In most cases, the end user will not be automatically prompted to enroll a fingerprint when using a pre-registered YubiKey Bio the first time. Enrolling a fingerprint must be done by the end user in a separate step as described in the following.

Here is an example of how to enroll fingerprints when using Windows 11: Navigate to Settings > Accounts > Sign-in options, select Security key, and click Manage. Enter the PIN for the YubiKey Bio, and follow the on-screen instructions, which will prompt you to insert the security key and touch it to enroll a fingerprint. When done, you will be prompted to provide the fingerprint (instead of the PIN) when logging in.

_images/fingerprint-enroll.png

Different platforms (device/OS/browser) will have different flows with regards to enrolling fingerprints on YubiKeys. Refer to the account security settings information for each platform for instructions on how to enroll fingerprints. For more examples of fingerprint enrollment, see YubiKey Bio Series Specifics.

Yubico Authenticator is a convenient tool that can also be used to enroll fingerprints on a YubiKey Bio. For instructions on how to install Yubico Authenticator and enroll fingerprints, see Install the App and Enroll a fingerprint.

Select the method that is applicable to your organization’s IT platform when providing recommendations for your end users on how to enroll fingerprints on their pre-registered YubiKey Bio.