Integration Procedure

The following provides an overview of the integration steps to get started using FIDO Pre-reg with Okta and Okta Workflows.

Prerequisites

Provided by Yubico:
- A Yubico subscription plan. For questions about Yubico subscription services, contact your Yubico sales representative.
- Yubico Customer Portal access with FIDO Pre-reg enabled. This is provided during onboarding of your organization.
- Customization ID (CID), Product ID, and Inventory ID for the YubiKey delivery.
An Okta Identity Engine (OIE) tenant with Adaptive MFA and Okta Workflows entitlements.
In order for users to be able to authenticate with a security key, ensure that FIDO2 WebAuthn is enabled in your Okta tenant. In the Okta Admin Console, configure User verification to use the Preferred option as described in Add the FIDO2 (WebAuthn) authenticator section (Okta documentation).

Note

The FIDO Alliance recommends UV=Required. However, you will need to assess the impact of UV=Required based on your organization’s current settings, as it may impact users across operating systems and browser types if a PIN is not set. Preferred is an option, if you are concerned about blocking other users.

Integration Steps

The FIDO Pre-reg workflow template for Okta is flexible and you can request a pre-enrolled YubiKey using the following methods:

MFA initiated - trigger shipments using Pre-enrolled authenticators in Okta Workflows console for an individual user.
Group Add - trigger shipments using the Group Add flow in the Okta Workflows console (individual or multiple users). Lets you request shipments based on group membership.
Batch requests - use the API to order YubiKeys for multiple users. For more information, see Order pre-enrolled YubiKeys in a batch (Okta documentation).

The following steps lets you set up the FIDO Pre-reg integration and create a first shipment of a pre-enrolled YubiKey:

The sections in the following describe each step in detail.