The current guide (https://console.yubico.com/help/) is available without logging in.

Prior to Onboarding

After the Prerequisites have been met, Yubico does the following:

  1. Creates a YubiEnterprise Delivery account for your organization.
  2. Enters the purchased products and delivery shipping credits into your organization’s account.
  3. Assigns Console login privileges to your organization’s enterprise account owner (Console Owner), nominated when the first purchase order (PO) is submitted.
  4. Emails the login credentials to the Console Owner.

Onboarding Workflow

The onboarding involves these steps:

  1. Initial login to the Console as Console Owner using provided credentials.
  2. Verifying your first purchase order.
  3. Creating an initial shipment request of maximum 10 YubiKeys.
  4. Registering at least one security key for your account.
  5. Adding more organization members to your organization account.

Logging in to the Console always requires a YubiKey except in the first phase of onboarding.

In this first phase, Yubico creates a new account in YubiEnterprise Delivery and the system creates a demo user with restricted permissions for the first Console Owner. Until the Console owner enrolls a security key, the permissions of that user/role remain restricted:

These limitations are displayed on a banner during the initial onboarding phase instructing the user to register a WebAuthn credential (security key) to finish account enablement.


If the Console Owner has not already got a YubiKey, that person should use this initial phase as demo user in the onboarding to ship keys (maximum 10) to other organization members.

Once the demo user registers a security key in the Console, that person acquires the full permissions of an Console Owner, and all capabilities of the account are fully enabled.


  1. The Console Owner (demo user) logs in, and clicks the privacy policy link to accept Yubico’s terms and conditions. At this point, the Console Owner can already verify that the YubiEnterprise Console dashboard displays the information corresponding to the initial purchase order(s), including the expected quantities of products in the applicable categories:

    • Available subscription 2.0 licenses
    • Available subscription 1.0 licenses
    • Available standard products inventory

    Verifying quantities purchased

    To see the explanation for what products are available in each of these categories, see Key Models Per Tier. (The term “tier” applies to subscriptions.)


    It might be necessary to toggle the Only show shippable inventory switch on the top right of the screen.

    It might be necessary to adjust the view to correspond to your situation and your permissions. If you do not see what you expect to see, check Distributor and Reseller Onboarding. For a full understanding of roles in the Console, see Roles and Permissions.

  2. The Console Owner uses the system to request shipment of at least one YubiKey to themself. It is recommended that you register at least one additional key to avoid losing access to the Console if the original key is lost. See Shipping to a Single Address.

  3. The Console Owner receives at least one YubiKey and uses the information on the Packaging page to validate the packaging has not been tampered with (as do subsequent recipients of products shipped via YubiEnterprise Delivery). The authenticity of the YubiKey itself is validated by following the guidelines on https://www.yubico.com/genuine/. The Console Owner then registers with the system, thereby ending the first phase of onboarding and gaining access to the full capabilities accorded to a Console Owner.

  4. The Console Owner configures new YubiEnterprise Delivery accounts for the other key recipients on the Settings tab by:

    • Entering the email addresses of the organization members who will be managing the YubiKeys
    • Assigning roles to those organization members. See Roles and Permissions.


    Ensure your organization has at least two Console Owners. This is the only role that can perform password and account resets for users who have been locked out. If your organization has only a single Console Owner and that person locks themselves out or leaves your organization, you must contact Yubico to set up a new Console Owner.

  5. The system automatically emails login credentials to the organization members. However, they will not be able to activate their accounts until they register their keys.

  6. The organization members log in to the Console, register their keys, review the privacy policy, and accept Yubico’s terms and conditions before starting to manage and/or audit the organization’s inventory of Yubico products and shipping thereof.


Distributor and Reseller Onboarding

Distributors and resellers (formerly referred to as “Channel Partners”) can use YubiEnterprise Delivery to manage their own inventories, and view their customers’ inventories for related purchases.

A reseller can have Yubico enable the end-customer for which it purchased inventory to see that inventory. For example, by clicking on the Reseller role label, a reseller can change the view to verify that an associated end-customer can see the inventory purchased from that reseller.

Similarly, a Distributor can enable (and verify) inventory viewing through the Console by a Reseller for which it purchased inventory.

Yubico sets up these roles/views when it receives a PO containing an email address for each role where applicable. For example, the Reseller user must have both Reseller and Customer roles if the end customer is to use the Console, while the user in the customer organization must have a Console Owner role. That alone is sufficient to give that user the Customer view.

Logging In

The following instructions are for users of the YubiEnterprise Console. (Your own organization could decide to implement a very similar process for its own end users of YubiKeys and/or Security Keys by Yubico.)

Step 1:

Click the link supplied in the email from YubiEnterprise Delivery, which opens in a browser. (The browser requirements are given in Prerequisites.)

Step 2:

Enter the username and password supplied in the same email.


Usernames must be email addresses. Any username entered without the “@” will return an error when the user tries to log in.


If you allow your browser to fill in your username and password automatically, the Submit button might be grayed out. To activate the button, click in the password field.

Step 3:

Click the Submit button. The browser displays a message instructing you to insert the YubiKey and touch it when it flashes its LED(s).

Step 4:

When the LED(s) flash, touch the YubiKey until it stops flashing. (If you have dry skin, you may need to dampen your finger so the key recognizes your touch.)

Step 5:

If your organization has more than one account–for example, the EMEA organization and the US/CAN organization–the list of accounts is displayed. Click the name of the appropriate organization.

Step 6:

If the user logging in to the Console has multiple roles, the highest priority role is selected, with the top role being Console Owner, followed by Console Admin, Console Auditor, Distributor, Reseller in that order. The user then arrives at the appropriate landing page. If necessary, a different role can be selected on the Profile page (click on name of logged-in user in top right-hand corner of any Console screen).

Session Limits

Console users do not stay logged in indefinitely. After an hour of inactivity, you are automatically logged out. If the screen does not react after a period of inactivity, log out by going back to the home page and clicking the profile button at the top of the page. Then you can log in again.

After 24 hours you will need to log in again in any case.

Password Requirements

The requirements for the Console login password are:

  • Must be 8-64 alphanumeric characters.
  • Must not contain any part of the username.
  • Must be different from the current password.

Managing Passwords with SSO

This ability is associated with the User role. Owners and Admins can manage their passwords and so on, but Auditors cannot. If your organization is using the single sign-on (SSO) method, you cannot change your password and/or your authentication method when you log in via SSO. You must use your credentials (username, password and YubiKey) to log in. Only then can you manage your credentials.

To change any of your credentials,

Step 1:

Log in to https://console.yubico.com/ with username, password, and YubiKey. If you belong to more than one organization, select the one you want to access.

Step 2:

Select the Settings page. To edit your profile, on the Users tab, select your own username (you might have to scroll to find it)and click the pencil icon.

Step 3:

On the subsequent page, Edit member Somebody@company.com,

  • To change your username or email address, click the Reset user button.
  • To change your password, click the Reset password button.
  • To change your role (a capability only available to Console Owners), select the role from the dropdown list under the Change role heading and click Save.
Step 4:

With your YubiKey at the ready, on the login page, enter:

  • The email address associated with your YubiEnterprise account
  • The password (which must be between 8 and 64 characters, and must not contain any parts of your username)

Insert and touch the YubiKey when prompted.

To file a support ticket for YubiEnterprise Delivery, click Support.