User Management

Each user in an organization has a single account in the Customer Portal, the username for which is their email address. New users receive an email with an activation link through which they complete the setup of their account by registering a YubiKey. See Activating User Accounts.

The organization account in the Customer Portal is set up by Yubico during onboarding. The first account user will automatically be assigned the Console Owner role. When the first Console Owner have registered a YubiKey with their account, they will be able to add additional users for the organization.

In the case of an international organization shipping YubiKeys to multiple countries, separate organization accounts can be set up. The same individual can be the Console Owner for multiple organizations.

Important

Ensure your organization has at least two Console Owners. That is the only role that can perform password and account resets for users who have been locked out. If your organization only has one Console Owner and that person locks themselves out or leaves the organization, you must contact Yubico to set up a new Console Owner which might delay your shipments.

Viewing Users

In the Customer Portal, click Your organization > Users to open the Users page. What you see here depends on your role. You can only access user information with either the Console Owner, Console Admin, or Console Auditor role. Only Console Owners can edit or delete users, Admins and Auditors can only view the user information.

For reseller and distributor type of organizations, there are also Reseller and Distributor roles that control permissions for these users. For more information, see Roles and Permissions.

_images/users-page3.png

The following information is displayed:

  • Email - Email address used to log in to the Customer Portal.
  • Roles - The role that the user has in the system, see Roles and Permissions.
  • Last login - Date and time when the user was last logged in.
  • State - The state of the user’s account, for example “Pending” or “Active”, see User Account States.
  • Password - Indicates whether the user has set a password (tick) or not (x).
  • MFA - Indicates whether the user has enabled multi-factor authentication (tick) or not (x).
  • Passwordless - Indicates whether the user account has been upgraded to passwordless authentication (tick) or not (x). If ticked, the user has at least one registered passkey, and any previous passwords have been removed. See Passwordless Authentication.
  • Actions - Icons for editing or deleting users, only available for Console Owners.

Creating and Removing Users

Note

Adding and removing user accounts can only be done by a user with the Console Owner role.

Do the following to create a user:

  1. On the Your organization > Users page, click Create user to open the Create user page.
_images/create-user.png
  1. Enter the new user’s email address and select a role - Console Auditor, Console Admin, or Console Owner. If your organization is a channel partner, you will also have options to assign the Reseller or Distributor roles to your users, see Channel Partner Roles.
  2. Click Create user. For each new user, the system generates an activation email inviting the user to activate their account, see Activating User Accounts.

Note

When activating their account, users are requested to provide a on-time code sent to their email address, to authenticate. When submitting the one-time code, users have three chances to submit a correct code, otherwise they will be locked out for 15 minutes before they can retry again. The lockout is associated with the invitation, attempting to log in from a different device will not work. Sending a new invitation will bypass the lockout because it is a different invitation than the one that is locked.

Do the following to remove a user:

  1. On the Your organization > Users page, click the Remove icon on the line for the user you want to remove.
  2. Click Yes, remove user in the confirmation dialog that appears.

Managing Your Account

With passwordless authentication you log in to the Customer Portal using a secure proof of identity through a passkey on a registered device such as a YubiKey. For more information, see Passwordless Authentication.

To manage your account settings, click on your user icon in the upper right corner and select Manage credentials to open the Account page. From here you can manage the passkeys associated with your account, as described in the following.

_images/account-page1.png

Managing Login Credentials

From the Passkeys section in the Account page you can manage passkeys as follows:

  • To register a passkey, click Add and follow the instructions in the dialog that appears. Registered passkeys will appear in the list of passkeys.
  • To change the name of a passkey in the list, click Edit, make your changes, and click Save. The YubiKey model is automatically provided as passkey name. This can be changed to a name of your choice.
  • To remove a passkey from your account, click Remove.
  • To check which passkey you are currently logged in with, click Identify and follow the instructions. The current passkey will be highlighted in the list.

Note

For enhanced security, authentication to the Customer Portal through password is being deprecated, and organizations are encouraged to move their user accounts to passwordless login, see Upgrading to Passwordless. If you are still using a password to log in to the Customer Portal, the password management option in the Account page will be displayed.

Switching Organizations

If your Customer Portal user account is a member of more than one organization, you can switch between the organizations by clicking the organization name in the top left corner. This opens a menu from where you can select the desired organization in the list.

_images/org-switch2.png

Managing API Tokens

An API token is used by an API caller account for authentication with the YubiEnterprise API, for applications that integrate for example with the Delivery service. To manage API Tokens, click the organization name in the top left corner, and select Manage API token. For more information, see API Caller Account Setup.

Passwordless Authentication

Passwordless authentication is more secure and convenient than using passwords when logging in to websites and applications. With passwordless authentication you log in using for example a username or email address together with a secure proof of identity through a passkey on a registered device such as a YubiKey. The passkey is a digital credential tied to your user account and the website or application you are logging in to.

The passkey can be stored on separate external hardware like a YubiKey (device-bound passkey). A passkey can also be stored on multiple devices like a computer or mobile phone where it can be copied and synchronized between the devices (cloud-based synced passkeys).

Synced passkeys can be synchronized between for example browsers (Chrome, Edge, Safari), password managers (1Password etc.), and platform ecosystems (Apple Keychain, Google Account sync etc.). These passkeys are stored in software and can be accessed from multiple devices once synchronized.

A passkey stored on a YubiKey can be used on multiple instances to log in to websites and applications. However, the YubiKey must be registered on each instance before it can be used.

Using a device-bound passkey is the most phishing-resistant option as this requires physical possession of the YubiKey for authentication. Device-bound passkeys cannot be synchronized across devices, and provide enhanced security through hardware-backed cryptography.

_images/passkey-difference.png

For enhanced security, the Customer Portal is being upgraded to use passwordless authentication through YubiKeys (device-bound passkey), see Upgrading to Passwordless.

Upgrading to Passwordless

Important

To be able to register a passkey on a YubiKey for passwordless authentication in the Customer Portal, the YubiKey firmware version must be 5.2.4 or higher (released September 2019). To check the firmware version on the YubiKey you are using, see Verify your YubiKey.

With passwordless authentication, you will only use a password during onboarding of your organization as the first user (Console Owner) logging in for the first time. As soon as you have created a passkey by registering a YubiKey, the password-based credentials are removed. Additional Customer Portal users that you add for your organization will activate their account using passwordless login by registering a YubiKey. For more information, see Onboarding.

During the migration of Customer Portal users to passwordless authentication, the login process is slightly different for existing and new Customer Portal users. The following applies:

  • Existing Customer Portal users that have not yet upgraded to passwordless authentication will be given the option to move to passwordless when logging in. For a limited time, these users can still log in with their password until a passkey is registered.
  • New Customer Portal users will log in through passwordless authentication by registering a YubiKey.
  • SSO-authenticated users that manage SSO (Single Sign-On) configurations for their organizations will be asked to log out and in again using the username and password (not SSO) that was registered for that specific Customer Portal account. Once logged in, the passwordless migration process will begin. SSO-authenticated users that do not manage SSO configurations will not need to migrate to passwordless authentication at this point.

Note

Before upgrading to passwordless authentication, it is recommended to remove any existing synced passkeys associated with your Customer Portal account. See Best Practices - Synced Passkeys.

To upgrade to passwordless, do the following:

  1. Open the Customer Portal login page, have your YubiKey ready, click Create Passkey, and follow the instructions. You might be asked to set a PIN for your YubiKey if not already done.
_images/upgrade-passwordless1.png
  1. When the passkey has been registered on your YubiKey, you will be logged out and requested to log in again using your newly registered YubiKey. It is recommended to register an additional YubiKey in case the first one is lost, you can however do this at any time.
_images/passkey-created.png
  1. When you have registered a YubiKey, your password-based credentials are removed, and going forward you will use your YubiKey when logging in to the Customer Portal.

For more information about passwordless migration, see also Passwordless Migration FAQs.

Removing Synced Passkeys

Before you upgrade to passwordless authentication when logging in to the Customer Portal, it is recommended to remove any existing synced passkeys associated with the Customer Portal login. For more information, see Best Practices - Synced Passkeys.

Lost or Reset YubiKey

If you lose your YubiKey, or reset it by mistake, you can no longer log in to the Customer Portal. If this happens, you must contact a Console Owner for your organization to have your account reset, see Account Resets and Role Changes. You will first receive a Reset account email to request a one-time code to authenticate. When successfully authenticated, you will receive another email with an activation link which you can use to register a new YubiKey (passkey) and log in to the Customer Portal.

Account Resets and Role Changes

Console Owners can reset user accounts and change user roles. If a user needs to reset their account, the recommended way to do this is to reach out to a Console Owner in their organization. If for some reason this is not possible, Yubico can also reset a user’s account.

When resetting a user account, a Reset account email to request a one-time code to authenticate is sent to the user’s email address. When successfully authenticated, the user will receive another email with an activation link to register a YubiKey (passkey) and log in to the Customer Portal.

The Reset password option is in the User details page is only visible for users that have not yet upgraded to Passwordless Authentication. When a user has been upgraded, the Reset password option is no longer displayed for the user account.

If a user previously had a password associated with their account, when resetting their account they will be migrated to passwordless authentication, and will need to register a passkey to log in to the Customer Portal.

To manage account resets and role changes, do the following:

  1. On the Your organization > Users page, click the Email link for the desired user to open the User details page.
  2. To change the role for a user:
    1. Click the Edit icon in the ROLES section.
    2. In the dialog that opens, select the desired roles, and click Edit roles.
  3. To reset the account for a user:
    1. Click the Email link for the desired user.
    2. In the User details page, click Reset user.
    3. In the confirmation dialog, click Yes, reset user.
  4. To reset the password for a user:
    1. Click the Email link for the desired user.
    2. In the User details page, click Reset password.
    3. In the confirmation dialog, click Yes, reset password.
_images/user-mgmt5.png

Authenticating with SSO

Single sign-on (SSO) is an authentication method that enables users to use the same set of credentials to securely access multiple applications and services. YubiEnterprise Services supports SSO. For an organization with SSO enabled, users do not have to register.

Although they are added the same way as non-SSO-enabled users, instead of remaining in the Pending state until they follow the emailed instruction to register a security key, they are immediately added to the organization in the Active state. They can therefore use the service-provider-initiated login link to log in to the Customer Portal. For more information, see Single Sign-On (SSO).

Note

If your organization is using SSO, the options for managing credentials for logging in to the Customer Portal will not be available. Instead, credential management and Customer Portal login authentication is done through the SSO provider.

Roles and Permissions

All customer organizations must always have at least one user with the Console Owner role, and can have one or more users with the Console Admin or Console Auditor roles.

In addition to the Console Owner, Console Admin and Console Auditor roles, there are also Reseller and Distributor roles. These provide access to specific views for resellers and distributors to view their customers’ purchase orders. For more information, see Channel Partners.

Reseller and distributor organizations are added to the Customer Portal just like any other organization, and are associated with purchase orders when these are created by Yubico. A Customer Portal user can have one or none of the organization user roles, and may have one or both of the Distributor and Reseller roles.

An organization can for example be both a Customer ordering keys for its own employees, and a Reseller selling keys to end customers. This scenario requires at least one user with the Console Owner role for the organization, and the Reseller role for one or more users in the organization.

Note

Only the end customer can view the user information entered for shipment requests. The Reseller and Distributor roles do not provide permission to view or manage any Personally Identifiable Information (PII).

The following section describes the different roles and their permissions in more detail.

Customer Roles

The table below describes the permissions for the Console Owner, Console Admin and Console Auditor roles for a customer (account) organization.

Permission Owner Admin Auditor
Add/delete organization members yes no no
Change member roles yes no no
Reset member login credentials yes no no
Create/edit shipment requests yes yes no
Correct shipping addresses yes yes no
View shipments/purchase orders/org settings yes yes yes
Manage personal login credentials yes yes yes
View other roles’ details yes yes yes
Generate API token yes yes no
Override address validation yes yes no
Download CSV files yes no no

Console Owners, Admins, and Auditors can all view the names, email addresses and assigned roles of Customer Portal users displayed on the Your organization > Users page.

Channel Partner Roles

As a Console Owner for a channel partner organization, you can create user accounts and assign the Reseller or Distributor role to users within your organization. When creating a user, you will see the options for assigning the Reseller or Distributor role in the Create user dialog.

_images/create-channel-partner-user.png

User Account States

All Customer Portal users have one of the following account states. To view a user’s account state, click Settings > Users, locate the desired user, and view the State column.

Active (demo mode)
This user is the first user added to an organization. The user has activated their account, but they have not yet registered a passkey. Customer Portal activity is restricted to the activities described in Onboarding.
Active
The user has activated their account by logging in to the Customer Portal, either through password or by registering a passkey.
Deactivated
The user has been removed from all organizations, and they can no longer log in to the Customer Portal. All associated access tokens have been revoked. Console Owners can add the user to the organization again at a later date.
Pending
The user has been emailed an invitation with an activation link for their Customer Portal account, but they have not yet activated their account. This is the initial state for new users.
Reset
A Console Owner can do this if a user’s account has been compromised. The user state remains as “Reset” until the user follows the instructions in the account reset email sent by the system.
Suspended

If a user becomes a security concern, disable system access for that user by contacting Yubico Support to have the user suspended. Any API token the user has is deleted, and their login credentials are temporarily invalidated.

  • If a suspended user tries to log in, they get the “userID/password invalid” message.
  • Only Yubico can suspend a user and only Yubico can lift such a suspension.
  • Although all access tokens are revoked, the user remains associated with their organization, so that if the suspension is lifted, Console Owners are not required to recreate the affected user.
  • All owners of the suspended user’s organization receive an email notifying them that this user is suspended and they must contact Yubico Support to have the suspension lifted.