Shipping Pre-registered Keys

This section describes how to install, configure, and use Yubico’s FIDO (Fast Identity Online) pre-registration service (FIDO Pre-reg) to distribute pre-registered YubiKeys to end-users, for example, employees. FIDO Pre-reg reduces the IT administrative burden and improves end-user experience by standardizing and streamlining YubiKey onboarding and account recovery.

Note

The FIDO Pre-reg integration is currently available for Early Access for the Okta IDP platform. The following YubiKeys are supported:

  • YubiKey 5 NFC
  • YubiKey 5C NFC
  • YubiKey 5 NFC FIPS Series
  • YubiKey 5C NFC FIPS Series
  • Security Key Series Enterprise Edition
  • All other form factors will be supported once the integration is publically released.

About FIDO Pre-reg

With FIDO Pre-reg the IT administrator (IT admin) for an organization can use the YubiEnterprise Delivery API together with an IDP’s WebAuthn API and automated workflows (in this case, Okta’s) to order pre-registered YubiKeys for end users. The keys are pre-registered and shipped directly to the specific end user who received a randomly generated PIN separately.

How it Works

The FIDO Pre-reg integration streamlines the deployment process with improved ease of use and enhanced security. The workflow examples below, based on Okta as IDP, illustrate the process.

FIDO Pre-reg templates, developed specifically for Okta Workflows in this case, help orchestrate the process steps. The Yubico Connector and the FIDO Pre-reg Workflow template are both integrated with the Okta Workflows console.

The flows are designed to ensure each request via the IDP (Okta) to Yubico contains all information needed to have the keys shipped to the end user. A secure and encrypted transfer process mitigates any risk of exposing sensitive information.

_images/workflow-okta-enduser1.png

Workflow: IT Admin and End User

  1. The IT admin initiates a shipment request for a pre-registered key from the IDP (Okta) tenant. This triggers the FIDO Pre-reg Okta Workflows template. All information needed to program and ship a key for an individual user is sent to Yubico through a YubiEnterprise Delivery API request. Note that only one key per shipment can be requested.
  2. The IT admin receives updates based on the shipping status, and can monitor shipments of pre-registered keys using the YubiEnterprise Console.
  3. The end user receives an email containing their PIN and their FIDO Pre-reg YubiKey is shipped to them directly. No password or registration is required. The PIN is only communicated only to the end user and is encrypted and obscured from the IDP (Okta), the IT admin, and Yubico.
  4. The end user can immediately use the YubiKey and PIN to authenticate into the IDP (Okta) where they have Single Sign-On (SSO) access to all applications to which they have access provided through the IDP.

Workflow: Credential and PIN Provisioning

  1. The IT admin initiates a shipment request for a pre-registered YubiKey from the IDP (Okta) tenant.
  2. Yubico receives the shipment request from the IDP (Okta) through the YubiEnterprise Delivery (YED) API. Yubico programs a YubiKey with the information provided in the request. The information contains the credential and PIN requests, end-user shipping information, and YubiKey form factor.
  3. After the YubiKey is programmed, a response is sent back to YubiEnterprise Delivery (YED) API including the randomly generated PIN, serial number, and firmware version. This response is retrieved by the IDP (Okta) workflows.
  4. When the IDP (Okta) workflows receive the response from the YubiEnterprise Delivery (YED) API, the YubiKey is enabled for usage. This triggers an email to the end user containing the PIN for the YubiKey.
  5. After the programming of the YubiKey the challenge and credential data, including the PIN, is purged from Yubico systems.

Additionally, the YubiKey can be used as a recovery tool for the IDP’s complementary passwordless feature such as Okta FastPass. For example, if an end user loses their phone and gets a replacement one, they can re-enroll in the IDP service using the YubiKey without needing to call their support services.

Viewing Pre-reg Shipments

You can monitor the status of pre-registered shipments for your organization in the All shipments page of the YubiEnterprise Console. Pre-registered shipments are indicated as AUTO FIDO PRE-REG in the Type column in the All shipments page.

To locate a specific pre-registered shipment, do the following:

  • Use the Filters function to filter out pre-registered shipments. Click Filters, select Auto FIDO Pre-reg as Type, and click Apply.
  • You can also use search in combination with filters to drill down further into the list of shipments. For more information, see Searching Shipments.
_images/prereg-filter.png

Editing Pre-reg Shipments

Just as for other types of shipments, you can update a pre-registered shipment from the Console until it is locked for processing and fulfillment. Shipments that can be edited are indicated with a pencil icon in the Status column of the All shipments page.

You can update the recipient and address information, the delivery type, or you can delete the shipment request. Note that products included in a pre-registered shipment request cannot be modified. For more information, see Editing or Deleting a Shipment.

Viewing Customization Information

When using pre-registered YubiKeys, you can use the Console to view customization information associated with your organizations’ shipment of keys from your FIDO Pre-reg inventory. You can for example see Customization IDs associated with your organization, and serial numbers and firmware version for pre-registered keys in a specific shipment. For more information, see Customizations.

Prerequisites

The following sections describe how to integrate FIDO Pre-reg with IDPs. The instructions are intended for IT admins who are setting up shipments of pre-registered YubiKeys for their end users in an environment with an IDP and SSO (in this case Okta).

The instructions assume IT administration skills and knowledge of YubiEnterprise Delivery API and the applicable IDP (in this case Okta). Listed tasks include steps both in the YubiEnterprise Console and the IDP applications. Refer to the IDP documentation for IDP-specific details.

Ensure the following is in place before you start integrating FIDO Pre-reg with your IDP:

  • Your company is using a supported IDP (currently Okta).
  • YubiEnterprise Delivery and a YubiEnterprise Subscription plan.
  • Customization IDs and Subscription IDs for the YubiKey models you will be shipping to end users. These IDs are provided by Yubico during onboarding of your organization. For more information about Customization IDs, see Customizations.

FIDO Pre-reg for Okta

To get started using FIDO Pre-reg with Okta and Okta Workflows, ensure you have an Okta Identity Engine (OIE) tenant with Adaptive MFA and Okta Workflows entitlements in place. For more information, see the Okta documentation.

For a more detailed description of the Okta integration, see About the Workflow Integration.

Overview of FIDO Pre-reg setup and usage:

  1. Configuring authentication:
    1. Creating authenticator groups for each YubiKey form factor you want to ship to users.
    2. Enabling WebAuthn Authenticator to allow users to authenticate with a security key.
    3. Configuring Okta policies to support the FIDO Pre-reg integration.
  2. Configuring workflows:
    1. Installing the Okta workflow-specific templates for FIDO Pre-reg.
    2. Configuring workflow connections in Okta.
  3. Creating shipment requests:
    1. Adding new users in Okta.
    2. Creating shipment requests in Okta.
    3. Activating users in Okta when the user has received their YubiKeys.

About the Workflow Integration

The following describes the integration between the Yubico Connector and the Okta Workflows. The integration provides the Yubico action cards used to set up the workflows in Okta for requesting shipments and retrieving shipment information. The Yubico workflow integration includes the action cards described below.

Action Description
Create Shipment Request
Create a new shipment request to provision
a YubiKey that will contain a pre-registered
WebAuthn credential.
Get Shipment Details
Get details about a specific shipment
request, including the shipment state, and
shipment items used for the pre-registration
of a WebAuthn credential.
Build Shipment Item
Helper action card that builds a “shipment
item” used in the “Create shipment request”
action card.
Get Public Transport Keys
and Signing Certificate

Pull the current public Yubico transport
and signing keys used to encrypt the PIN
and credential request payloads.

The input and output parameters for each action card are described in more detail in the following. For more information on how to configure workflows, see Configuring Workflow Connections.

Connection Authorization

When you add a Yubico card to a flow for the first time, you will be prompted to authorize the connection. This requires an API token generated from the YubiEnterprise Console. Once you have configured this connection and saved the API token information to it, you can reuse it for other YubiEnterprise-related actions. For more information, see Yubico Connection Authorization.

Action: Create Shipment Request

Action card to create a new shipment request to provision a YubiKey that contains a pre-registered WebAuthn credential.

Note

Product ID and Inventory Product list can be found in the Product inventory type mapping table.

Input - Create Shipment Request

Field Definition Type Req’d
Company Company name of shipment recipient Text TRUE
Email Email address of shipment recipient Text FALSE
First Name First name of shipment recipient Text FALSE
Last Name Last name of shipment recipient Text FALSE
Phone Number
Telephone number of shipment recipient

The limit is 40 of the alphanumeric
characters “0-9+-( )” unless the
country code is IN, in which case
the limit is 255.

Any format is acceptable, with or
without spaces.
Text TRUE
Address
Street address of shipment recipient

Note: This field can also include the
apartment or unit number.
Text TRUE
Apt or Unit
Number
The apartment or suite or unit number
or designation of shipment recipient.
Text FALSE
City City of shipment recipient Text TRUE
Region
2-letter region or state code of
shipment recipient. Mandatory for
recipients in the US or Canada.
Text FALSE
Postal Code
Zip code or postal code of shipment
recipient.
Text TRUE
Country Code
2-letter ISO country code of shipment
recipient.
Text TRUE
List of
Shipment
Items



List of items and their configuration
details, to be included in this
shipment.
Note: Use the action card
to construct this object.
List of
objects




TRUE





Customization
ID

ID associated with
the specific Yubico customization
assigned to an organization.
Text TRUE
Product ID
ID for the YubiKey model.
Number TRUE
Inventory
Product ID
ID for the “bucket”
containing credits for YubiKey
ordering.
Note: This is not to be confused with
the serial number on each YubiKey.
Number TRUE
Quantity
Number of keys to include in
this shipment (current limit is 1).
Number TRUE
PIN Request -
Encrypted
Customization options for YubiKey
PIN generation, wrapped as
a JWE string.

This string is the output provided by
Okta’s WebAuthn pre-registration
enroll endpoint.
Text TRUE
Credential
Requests
PublicKeyCredentialCreationOptions for
WebAuthn credential creation, wrapped
as a JWE string.

This string is the output provided by
Okta’s WebAuthn pre-registration
enroll endpoint.

Note: This input item is noted as a
list. This is due to
YubiEnterprise’s API schema, which can
accept a list of credential requests
for provisioning multiple pre-
registered WebAuthn credentials.
List of
strings












TRUE
Delivery
Type




Type of delivery to be used for the
request. If unspecified, its default
is standard.

- 1 (Standard)
- 2 (Expedited)
Number FALSE

Output - Create Shipment Request

Field Definition Type
Shipment ID
The shipment ID of the newly created
shipment.

Value is null for non-successful API
response.
Text
Shipment State ID
The shipment state of the newly created
shipment. For values, see Shipment State
Codes.

Value is null for non-successful API
responses.
Number

Action: Get Shipment Details

Action card to get details about a specific shipment including the shipment state and the shipment items used for the pre-registration of a WebAuthn credential.

Input - Get Shipment Details

Field Definition Type Req’d
Shipment ID ID for a specific shipment. Text TRUE

Output - Getting Shipment Details

Field Definition Type
Shipment State ID
The shipment state of the newly created
shipment. For values, see Shipment State
Codes.

Value is null for non-successful API
responses
Number
Shipment Items
List of items included in the shipment.
Underlying objects include details for
each item.
List of
objects

 
product_data: Details about a shipment
item. Includes:
- serial
- version
- fido_pin_response
- fido_credential_response
List of
objects




 
serial: Serial number of the item
Text
 
version: Firmware version of the item
Text
 
fido_pin_response: PIN for the item. Is
encrypted as a JWE string.

This string should be provided to Okta’s
WebAuthn pre-registration activate
endpoint.
Text
 
fido_credential_response: List of FIDO
credentials for the item. Is encrypted as
a JWE string.

This string should be provided to Okta’s
WebAuthn pre-registration activate
endpoint.
List of
strings





 
product_id: ID for the YubiKey model.
Number
 
inventory_product_id: ID for the “bucket”
containing credits for YubiKey ordering.
Note: This is not to be confused with the
serial number on each YubiKey.
Number
 
product_quantity: Number of YubiKeys to
include in this shipment
(current limit is 1).
Number

Action: Build Shipment Item

Action card that builds a shipment item used in the Create shipment request action card.

Input - Build Shipment Item

Field Definition Type Req’d
Customization ID
ID associated with the specific
Yubico customization assigned to an
organization.
Text TRUE
Product ID
ID associated with the specific
YubiKey format.
Number TRUE
Inventory
Product ID
ID for the “bucket” containing credits
for YubiKey ordering.
Number TRUE
Quantity
Number of keys to include in this
shipment (current limitation is 1).
Number TRUE
PIN Request
- Encrypted



Customization options for YubiKey PIN
generation, wrapped as a JWE string.
This string is the output provided by
Okta’s WebAuthn pre-registration enroll
endpoint.
Text TRUE
Credential
Requests -
Encrypted











PublicKeyCredentialCreationOptions for
WebAuthn credential creation, wrapped
as a JWE string.

This string is the output provided by
Okta’s WebAuthn pre-registration enroll
endpoint.

Note: This input item is noted as a
as list. This is due to
YubiEnterprise’s API schema, which can
accept a list of credential requests
for provisioning multiple
pre-registered WebAuthn credentials.
List of
strings












TRUE

Output - Build Shipment Items

Field Definition Type
Shipment Item
Object that contains configuration details
for an item to include in a shipment.
Object

Action: Get Public Transport Keys and Signing Certificate

Action card to pull the current public Yubico transport and signing keys used to encrypt the PIN and credential request payloads.

Input - Get Public Transport Keys and Signing Certificate

No input required.

Output - Get Public Transport Keys and Signing Certificate

Field Definition Type
Transport Keys -
JWKS



Yubico JWKS (JSON Web Key Set) used for
deriving an ECDH shared secret.
Primarily used for encrypting the PIN and
credential requests for the
YubiEnterprise API.
Object
Signing Public
Keys - JWKS


Yubico JWKS (JSON Web Key Set) containing
signing certificates used for signing PIN
and credential responses from the
YubiEnterprise API.
Object

Creating Authenticator Groups

Follow the steps below to create fulfillment groups for the authenticator onboarding. These groups are used when assigning form factors (types of YubiKeys) to end users when creating shipment.

In this example we will create groups with the following names based on the form factors:

  • Group 1: YubiKey 5C NFC
  • Group 2: YubiKey 5 NFC

To create the groups, do the following:

  1. In the Okta Admin console, click Directory > Groups to open the Groups page.

    _images/Admin8.png
  2. To add the first group, click Add group.

    _images/Admin9.png
  3. Name the group YubiKey 5C NFC and click Save.

    _images/Admin10-Add-group-5C-NFC.png
  4. To add the second group, click Add group, name the group YubiKey 5 NFC and click Save.

Enabling WebAuthn Authenticator

Follow the steps below to enable the FIDO2 WebAuthn authenticator, if not already done. This lets users authenticate with a security key.

  1. In the Okta Admin console, click Admin > Security.

    _images/okta-security.png
  2. Click Authenticators > Add Authenticator.

    _images/okta-add-authenticator.png
  3. Click Actions on the FIDO2 WebAuthn entry line and select Edit from the Actions drop-down menu.

    _images/Admin5.png
  4. On the General Settings tab, click Edit on the upper right.

    _images/Admin6.png
  5. Still on the General Settings tab, under Settings > User verification, select Preferred from the drop-down menu and click Save.

    Note

    The FIDO Alliance recommends UV=Required. However, you will need to assess the impact of UV=Required based on your organization’s current settings, as it may impact users across operating systems and browser types if a PIN is not set. Preferred is an option, if you are concerned about blocking other users.

    Important

    It is strongly recommend to immediately add a backup YubiKey, WebAuthn, or Fastpass enrollment as protection in case the YubiKey is lost.

Configuring Okta Policies

This section describes how to configure Okta policies to support the FIDO Pre-reg integration.

Global Session Policy

Create a Global Session Policy that is configured to establish the user session with any factor that is *not a password.

  1. In the Okta Admin console, click Security > Global session policy.

  2. Click Add Policy and enter the following information in the Edit rule window:

    • Policy Name: Yubico MFA Required GSP rule (or name that meets your company’s standard naming requirements/conventions).
    • Policy Description: YubiKey session policy (or name that meets your company’s standard naming requirements/conventions).
    • Assign to groups: YubiKey 5 NFC, YubiKey 5C NFC
      • Rule:
        • Rule name: Yubico MFA Required GSP rule (or other required name). Select Multi Factor Authentication (MFA) = Required. Leave the remaining settings as default.
  3. Click Create Rule. The result should look similar to the example below.

    _images/okta-edit-rule-2.png
  4. Set Priority #1 for the YubiKey session policy, Yubico MFA Required GSP rule you just created.

Okta Enrollment Policy

Authenticator enrollment policies let you manage how and when your end users enroll authenticators, for example to configure “WebAuthn Only”. For more information, see the Okta Authenticator documentation.

  1. In the Okta Admin console, click Security > Authenticators.

  2. On the Enrollment tab, click Add a policy.

    _images/Admin13.png
  3. Enter the following information in the Edit rule window:

    • Policy Name: Yubico WebAuthn rule (or name that meets your company’s standard naming requirements/conventions).

    • Policy Description: YubiKey WebAuthn Only policy (or name that meets your company’s standard naming requirements/conventions).

    • Assign to groups: YubiKey 5 NFC, YubiKey 5C NFC

      Rule:

      1. Rule name: Yubico WebAuthn Only rule (or other required name).
      2. Disable the following authenticators:
      • Email
      • Okta Verify
      • Password
      1. Set FIDO2 (WebAuthn) to Required.
      2. Select Any Authenticators.
  4. Click Create Rule.

    _images/enrollment-policy.jpg
  5. Set Priority #1 for the YubiKey WebAuthn Only policy you just created.

YubiKey Authentication Fulfillment Policy

Create an authentication policy that applies to the previously created YubiKey fulfillment groups (two in this example).

Important

Ensure the Authentication Policy is assigned to the ‘Okta Dashboard’ application. This is critical because end users receive an email that directs them to your organization’s Okta Dashboard.

  1. In the Okta Admin Dashboard, go to Security > Authentication Policies.

  2. Click Add a Policy. Fill in the policy fields as follows:

    • Name: YubiKey Authentication Policy (or name that meets your organization’s naming requirements/conventions)
    • Description: YubiKey Authentication Policy for YubiKey fulfillment groups.
  3. Click Add Rule. Fill in the rule fields as follows:

    • Rule name: YubiKey Authentication Fulfillment Policy

    • IF section:

      • Leave IF user’s user type is Any user type
      • Set AND user’s group membership includes At least one of the following groups:
      • Select the two YubiKey groups created previously, YubiKey 5 NFC and YubiKey 5C NFC. One at a time, start by typing their name in the field, then select each.
      • Leave the rest of the fields in the AND section as default.
    • THEN section:

      • Leave the first statement as default.
      • Set AND user must authenticate with to Possession factor
      • Set AND Possession factor constraints are to Phishing resistant and Exclude phone and email authenticators.
      • Leave the remaining settings as default.
  4. Click Create Rule.

    _images/authentication-policy.jpg
  5. Set the Global Session Policy configuration to Establish the user session with Any factor. Do not use A password.

  6. Assign YubiKey authentication fulfillment policy to the Okta Dashboard application.

  7. Set Priority #1 for the YubiKey authentication fulfillment policy you just created.

Password Policy

Since users will not have a password, create a password recovery policy that prevents self-service password change, password reset, and unlock account operations.

  1. In the Okta Admin Dashboard, go to Security > Password Policies.

  2. Click Add a Policy. Fill in the policy fields as follows:

    • Name: YubiKey Password Policy (or name that meets your company’s naming requirements/conventions).
    • Description: YubiKey Password Policy for YubiKey users.
  3. To create a Rule that prevents self-service operations, click Add Rule. Fill in the rule fields as follows:

    • Rule name: YubiKey Password Policy

    • Deselect the following:

      • Password change (from account settings)
      • Password reset
      • Unlock account
  4. Click Create Rule.

  5. Set Priority #1 for the YubiKey password policy you just created.

Installing Workflow Templates

The workflows for ordering pre-registered YubiKeys use two templates:

  • Template 1 - Triggers authenticator user enrollment, receives authenticator activation details and sends them to Yubico, receives shipping ID from Yubico, and stores this in Workflow.
  • Template 2 - Schedules jobs, receives pending shipping IDs from Template 1, checks shipment status with Yubico, gets authenticator activation, and receives, stores and sends PIN to user via email.

Downloading the FIDO Pre-reg Templates

To add the workflow templates to your Okta instance, do the following:

  1. Go to the Okta Workflows Templates catalog.
  2. Locate the Yubico FIDO Pre-reg Workflow templates.
  3. Download and save the templates.

Importing the FIDO Pre-reg Templates

  1. In Okta Admin, click Workflow and select the Flows tab.

    _images/Admin15.png
  2. Add a new folder and name it Yubico. Click the three vertical dots next to the newly created folder and select Import.

    _images/Admin16-Yubico_Flows.png
  3. Select the previously downloaded Yubico FIDO Pre-reg Workflow templates and click OK.

Configuring Workflow Connections

The following example describes how to authorize and configure the Create shipment workflow connections.

Yubico Connection Authorization

When you add a Yubico card to a flow the first time you are prompted to authorize the connection. This requires an API token generated from the YubiEnterprise Console. Once you have configured this connection and saved the API token information, you can reuse it for other YubiEnterprise-related actions. The API token is used when configuring a workflow as described below.

Creating the Okta Connection

Do the following to create the connection from the Okta org:

  1. In the Okta Admin console, open Workflows and click Connections > New Connection.

  2. Locate and select the Okta connector icon.

  3. Add a display name for the connection in the Name field, and provide a description.

    _images/okta-connector.png
  4. Enter the Client ID and Client Secret values provided in Okta Workflows OAuth.

  5. In the Domain field, enter your Okta org domain without https://, for example, company.okta.com. If your org uses a custom domain, enter the custom domain.

  6. Click Create.

Creating the Yubico Connection

Do the following to create a connection from the Yubico org:

  1. In the YubiEnterprise Console, generate an API token as described in Managing API Tokens. Save the API token in a location from where you can easily copy and paste it.

  2. In the Okta Admin console, open Workflows and click Connections > New Connection.

  3. Locate and select the Yubico connector icon.

  4. Provide a display name for the connection in the Connection Nickname field, paste the previously generated API token into the API Secret field.

    _images/Admin21.png
  5. Click Create.

Updating the Create Shipment Flow

To add customization and product IDs to the Create shipment flow, do the following:

  1. In the Okta Admin console, open Workflows, select Flows and open the Create shipment trigger - MFA Initiated workflow.

    _images/okta-mfa-trigger.png
  2. In the Create shipment page, open the drop-down menu on the Edit Conditions card.

    _images/Admin23.png
  3. Update the fields as described below using input values provided by Yubico during onboarding of your organization. Note that the product_id is “1” for key model YubiKey 5 NFC and “29” for key model YubiKey 5C NFC. For more information, see Product ID and Inventory Product ID.

    1. If product_id (for YubiKey 5 NFC): Your Customization ID.
    2. If inventory_product_id: Your Subscription ID.
    3. Else if product_id (for YubiKey 5C NFC): Your Customization ID.
    4. Else if inventory_product_id: Your Subscription ID.
    _images/CID-config1.png _images/CID-config2.png
  4. Click Save.

Shipping Pre-reg Keys to Users

The following describes how to add new users for shipments, create shipment requests, and activate users once the pre-registered key has been received by the user.

Adding Users to Directory

To add a new user, do the following:

  1. In the Okta Admin console, go to Directory > People and click Add person.

  2. In the Add Person dialog, enter information as follows:

    _images/Admin32.png
    • First name, Last name, and Username.
    • Primary email (work email) and Secondary email (personal email used prior to activation).
    • Do not assign the user to any YubiKey groups, this is done later.
    • Set Activation to “Activate later”. This creates the user in status “Staged”.
  3. Click Save.

  4. On the People page, go to Staged > User > Profile > Edit.

  5. Enter the following information required for key shipment: Primary phone, Street address, City, State, Zip code, Country code, and Organization.

  6. Click Save.

Creating Pre-reg Shipment Requests

You can create FIDO Pre-reg shipment requests either through the Okta Admin console, or using Okta Groups. The Yubico workflow templates for Okta support both methods.

In this example we will use the Okta Admin console to create a shipment request.

Note

Only one FIDO Pre-reg YubiKey at a time can be requested for an Okta tenant.

To create a shipment request, do the following:

  1. In the Okta Workflows console, ensure the Create shipment trigger - MFA initiated flow is enabled.

    Note

    We recommend that only one flow at a time be enabled: either the Group Add or the MFA Initiated flow.

    _images/okta-mfa-trigger-2.png
  2. In the Okta Admin console, ensure the user to whom you want to ship the key has a profile in the user directory. If not, create a new user as described in Adding Users to Directory.

  3. Click the profile of the desired user and do the following:

    • If using the Okta Universal Directory (UD) to source the shipping information, ensure this is populated in the user profile.
    • Alternatively, confirm the user’s shipping information is being sourced from a Human Resources Information System (HRIS) or other source of truth.
  4. In the user profile, click Pre-enrolled authenticators and then click + Add.

    _images/okta-add-enroll.png
  5. On the YubiKey enrollment and delivery page, enter the Product ID, Inventory ID, and Customization ID provided by Yubico during onboarding. See Prerequisites.

    _images/okta-enroll-ids.png
  6. On the Yubikey enrollment and delivery page, ensure all required fields are populated:

    • Primary and Secondary email address (PIN will be sent to both).
    • Primary Phone number
    • Organization
    • Shipping address
    _images/okta-enroll-info.png
  7. If the user’s shipping information is being sourced elsewhere, you will receive a message stating that it is missing. Ensure that the information is retrieved from another endpoint or update the profile values before continuing.

    _images/okta-details-missing.png
  8. Click Continue.

  9. The FIDO Pre-reg workflow is triggered and the fulfillment starts.

    _images/okta-fulfillment.png

Yubico receives a request for a pre-registered YubiKey. The request contains all information needed to program and ship the key. When the request is fulfilled and the credential is activated by Okta, the randomly generated PIN associated with the YubiKey is emailed to the user’s secondary email address.

Activating Users after Delivery

When users are created in the Directory they are set up with Activate later. When the end user has received their YubiKey, the IT admin activates the end user who completes the activation procedure.

  1. IT Admin: Clicks Activate for the user profile in the Okta Admin console.

  2. An email with a login link and PIN is triggered and sent to the user’s secondary email address.

  3. End user:

    1. Clicks the link in the email to log in to Okta.
    2. Enters their username in Okta.
    3. When prompted, inserts their YubiKey, enters their PIN, and taps the YubiKey.

    The end user is authenticated with Okta using their YubiKey.

Note

Once the credential is programmed onto the YubiKey, the challenge and credential data, including PIN, is purged from Yubico systems.

FAQs - FIDO Pre-reg for Okta

  • Will FIDO Pre-reg keys for EA (Early Access) be deducted from my existing YubiEnterprise Delivery production organization?

    Yes, FIDO Pre-reg YubiKeys can be deducted from an existing PO after a Customization ID is added. Please work with your CSM.

  • Where can I view the status of the shipment?

    Shipment status can be viewed in the YubiEnterprise Console for your FIDO Pre-reg organization. Shipment status can also be viewed in the user’s Okta profile under “Pre-Enrolled Authenticators”. However, this information is pulled from YubiEnterprise Delivery.

  • Where do I get the ProductID, InventoryProductID, and CustomizationID?

    Work with your Yubico CSM to obtain these IDs.

  • Where do I view errors with the FIDO Pre-reg template?

    As an Okta Administrator, errors and successes can be viewed in the FIDO Pre-reg Workflow Execution History. For more information, see the Okta Execution History documentation.

  • What if my shipment in the Okta Workflows Table is in an error state?

    • If the shipment is in an error state due to an invalid address within the Console, you can manually remove the shipment in the Console.
    • If the shipment is in an error state, but can be fixed, do not duplicate or re-add the entry. Manually change the state from “error” to “ongoing” in the Okta Workflows Shipments table.
  • What if the shipment request submitted has an error due to a missing user object field?

    • Review the Execution History for the Create shipment card in the FIDO Pre-reg template to determine the missing object. Navigate to the user object in the Okta Universal Directory (UD) and add the missing input into the appropriate field. Once saved, remove the user object from the YubiKey group and re-add them. This will not create duplicate requests as the first one failed during the initial flow.
    • If using an HRIS system, ensure that the user object contains all the necessary user shipping information: address, city, state, zip code, country code, organization, primary email, secondary email, and primary phone number.

    Note

    For organization, the “organization” title may need to be hardcoded in the Okta Workflow card.

  • What if I have a custom Okta domain/vanity URL?

    If your Okta organization uses vanity/custom URL, the Okta Connection in Workflows should use the custom domain org URL.

  • How does the user receive the PIN?

    The user receives an email with the randomly generated PIN to their primary and secondary email addresses listed in the Okta Universal Directory (UD).

  • What happens if a user accidentally deletes the PIN email or they are unable to retrieve it?

    In the Okta Admin console, the Okta administrator has the option to send the PIN to the user before the user makes their first authentication into the Okta tenant. After the user authenticates with their YubiKey and PIN, the “Send PIN” option is no longer available.

  • I see two trigger cards: MFA Initiated and Group Initiated. Can the group trigger still be used for EA?

    Yes, the Group Initiated trigger is available in the FIDO Pre-reg Okta Workflows template. First, disable the MFA Initiated flow and enable the Group Initiated flow card.

  • If I initiate a request using the Group Trigger, will I still see it in the user’s Okta profile?

    Yes, the request will be visible in the Okta Admin UI. In the user’s profile navigate to the “Pre-enrolled authenticators” tab.

  • What if I need to delete a FIDO Pre-reg YubiKey request?

    A request will need to be deleted in the following places: your YubiEnterprise Delivery organization and within the user’s Okta profile on the “Pre-enrolled authenticators” tab. Additionally, it can be removed from the Okta Workflow Pre-reg Shipments table. If not removed from the Shipments Table, on the next process run, the YubiEnterprise Delivery API will return a 404 message, and set the status to “error” and not run again.


To file a support ticket for YubiEnterprise Delivery, click Support.