Integration Procedure

The following provides an overview of the integration steps to get started using Yubico FIDO Pre-reg with Okta and Okta Workflows.

Prerequisites

Ensure you have the following before starting the implementation procedure:

• Enterprise Plus plan subscription. For questions about Yubico subscription services, contact Yubico Support.
• YubiEnterprise Console access with FIDO Pre-reg enabled. This is provided by Yubico during onboarding of your organization.
• Customization IDs (CID), Product IDs, and Subscription IDs for the YubiKey models you will be shipping to end users. Provided by Yubico.
• A YubiEnterprise API token, see Generating an Authorization Token.
• An Okta Identity Engine (OIE) tenant with Adaptive MFA and Okta Workflows entitlements.
• For an understanding of the Yubico FIDO Pre-reg integration, see Workflow integration.
• For an overview of Okta’s recommended policies, see Require phishing-resistant authentication with pre-enrolled YubiKey (Okta documentation).
• In order for users to be able to authenticate with a security key, ensure that FIDO2 WebAuthn is enabled in your Okta tenant. In the Okta Admin Console, configure User verification to use the Preferred option as described in Add the FIDO2 (WebAuthn) authenticator section (Okta documentation).

Note

The FIDO Alliance recommends UV=Required. However, you will need to assess the impact of UV=Required based on your organization’s current settings, as it may impact users across operating systems and browser types if a PIN is not set. Preferred is an option, if you are concerned about blocking other users.

Integration Steps

The Yubico FIDO Pre-reg workflow template for Okta is flexible and you can request a pre-registered YubiKey using the following methods:

• MFA initiated - trigger shipments using Pre-enrolled authenticators in Okta Workflows console (for an individual user).
• Group Add - trigger shipments using the Group Add flow in the Okta Workflows console (for an individual user or multiple users).
• Batch requests - use the API to order YubiKeys for multiple users. For more information, see Order pre-enrolled YubiKeys in a batch (Okta documentation).

The following steps lets you set up the Yubico FIDO Pre-reg integration and create a first shipment of a pre-registered YubiKey:

1. Create user groups and configure Okta policies
2. Add the Yubico FIDO Pre-reg Workflow template
3. Configure the workflow connections
4. Create a shipment request

The sections in the following describe each step in detail.