Onboarding

The current guide (https://console.yubico.com/help/) is available without logging in.

Prior to Onboarding

After the Prerequisites have been met, Yubico does the following:

  1. Creates a YubiEnterprise Delivery account for your organization
  2. Enters the purchased products and delivery shipping credits into your organization’s YubiEnterprise Delivery account
  3. Assigns YubiEnterprise Delivery login privileges to your organization’s enterprise account owner (Org Owner), who is nominated when the first purchase order (PO) is submitted
  4. Emails the login credentials to the Org Owner.

Onboarding Workflow

Logging in to your YubiEnterprise Delivery account always requires a YubiKey except in the first phase of onboarding.

In this first phase, Yubico creates a new account in YubiEnterprise Delivery and the system creates a demo user with restricted permissions for the first Org Owner. Until the org owner enrolls a YubiKey or Security Key by Yubico, the permissions of that user/role remain restricted:

  • Able to ship no more than ten keys
  • Unable to invite new members
  • Unable to generate API tokens
  • Unable to edit the email template informing recipients that they will receive shipments from YubiEnterprise Delivery.

A banner on the Console informs the user of these limitations during this initial phase of onboarding. It tells the user to register a WebAuthn credential (i.e., a security key) to finish enabling their account. The banner provides a link to the user management page where the org owner can register their credential. For instructions, see Adding WebAuthn Credentials.

If the Org Owner has not already got a YubiKey, that person should use this window of opportunity to ship keys to themselves and up to nine other people who are to become YubiEnterprise Delivery members.

Once the demo user registers a security key with YubiEnterprise Delivery, that person acquires the full permissions of an Org Owner, and all capabilities of the account are fully enabled.

Procedure

  1. The Org Owner (demo user) logs in, and clicks the privacy policy link to accept Yubico’s terms and conditions. At this point, the org owner can already verify that the YubiEnterprise Console dashboard displays the information corresponding to the initial purchase order:

    • The expected quantities of products
    • The expected value of delivery shipping credits
    _images/dashboard-top-half.png

    Verifying quantities purchased

  2. The Org Owner uses the system to request shipment of a bare minimum of one key to themself. To avoid losing access to the system if the original security key is lost, all users should make sure to register at least one additional key with YubiEnterprise Delivery.

  3. The Org Owner receives at least one YubiKey and uses the information on the Packaging page to validate the packaging has not been tampered with (as do subsequent recipients of products shipped via YubiEnterprise Delivery). The authenticity of the YubiKey itself is validated by following the guidelines on https://www.yubico.com/genuine/. The Org Owner then registers with the system, thereby ending the first phase of onboarding and gaining access to the full capabilities accorded to an org owner.

  4. The Org Owner configures new YubiEnterprise Delivery accounts for the other key recipients on the Settings tab by:

    • Entering the email addresses of the Org Members who will be managing the YubiKeys
    • Assigning roles to those Org Members. See Managing Users.
    • A second Org Owner should be created in case the first Org Owner becomes unable to perform their duties and/or leaves the organization.
  1. The system automatically emails login credentials to the Org Members. However, they will not be able to activate their accounts until they register their keys.
  2. The Org Members log in to the Console, register their keys, review the privacy policy, and accept Yubico’s terms and conditions before starting to manage and/or audit the organization’s inventory of Yubico products and shipping thereof.
_images/login.png

Logging In

The following instructions are for users of the YubiEnterprise Console. (Your own organization could decide to implement a very similar process for its own end-users of YubiKeys and/or Security Keys by Yubico.)

  1. Click the link supplied in the email from YubiEnterprise Delivery, which opens in a browser. (The browser requirements are given in Prerequisites.)

  2. Enter the username and password supplied in the same email.

    Note

    Usernames must be email addresses. Any username entered without the “@” will return an error when the user tries to log in.

    Note

    If you allow your browser to fill in your username and password automatically, the Submit button might be grayed out. To activate the button, click in the password field.

  3. Click the Submit button. The browser displays a message instructing you to insert the YubiKey and touch it when it flashes its LED(s).

  4. When the LED(s) flash, touch the YubiKey until it stops flashing. (If you have dry skin, you may need to dampen your finger so the key recognizes your touch.)

  5. If your organization has more than one account–for example, the EMEA organization and the US/CAN organization–the list of accounts is displayed. Click the name of the appropriate organization.

Session Limits

YubiEnterprise Delivery users do not stay logged in indefinitely. After an hour of inactivity, you are automatically logged out. If the screen does not react after a period of inactivity, log out by going back to the home page and clicking the profile button at the top of the page. Then you can log in again.

After 24 hours you will need to log in again in any case.

Password Requirements

The password for logging into the YubiEnterprise Delivery Console must adhere to the following requirements:

  • Must be between 8 and 64 characters, which can be any of the following:
    • Alpha-numeric characters
    • Symbols
    • Punctuation marks, etc.
  • Must not contain any part of the username.
  • Must be different from the current password.

Managing Passwords, etc. with SSO: Single Sign-On

This ability is associated with the User role. Owners and Admins can manage their passwords and so on, but Auditors cannot. If your organization is using the single sign-on (SSO) method, you cannot change your password and/or your authentication method when you log in via SSO. You must use your credentials (username, password and YubiKey) to log in. Only then can you manage your credentials.

To change any of your credentials,

Step 1:

Log in to https://console.yubico.com/ with username, password, and YubiKey. If you belong to more than one organization, select the one you want to access.
Step 2:

Select the Settings page. To edit your profile, on the Users tab, select your own username (you might have to scroll to find it)and click the pencil icon.
Step 3:

On the subsequent page, Edit member Somebody@company.com,

  • To change your username or email address, click the Reset user button.
  • To change your password, click the Reset password button.
  • To change your role (a capability only available to org owners), select the role from the dropdown list under the Change role heading and click the Save button.
Step 4:

With your YubiKey at the ready, on the login page, enter:

  • The email address associated with your YubiEnterprise account
  • The password (which must be between 8 and 64 characters, and must not contain any parts of your username)

Insert and touch the YubiKey when prompted.

To file a support ticket for YubiEnterprise Delivery, click Support.