Shipping Pre-registered Keys

This section describes how to install, configure, and use Yubico’s FIDO (Fast Identity Online) pre-registration service (Yubico FIDO Pre-reg) to distribute pre-registered YubiKeys to end-users, for example, employees. FIDO Pre-reg reduces the IT administrative burden and improves end-user experience by standardizing and streamlining YubiKey onboarding and account recovery.

About Yubico FIDO Pre-reg

With Yubico FIDO Pre-reg the IT administrator (IT admin) for an organization can use the YubiEnterprise API together with an IDP’s WebAuthn API and automated workflows (in this case, Okta’s) to order pre-registered YubiKeys for end users. The YubiKeys are pre-registered and shipped directly to the specific end user who received a randomly generated PIN separately.

How it Works

The Yubico FIDO Pre-reg integration streamlines the deployment process with improved ease of use and enhanced security. The diagram below, based on Okta as the IDP, illustrates the process.

The Yubico FIDO Pre-reg template developed specifically for Okta Workflows in this case, helps orchestrate the process steps. The Yubico Connector and the Yubico FIDO Pre-reg Workflow templates are both integrated with the Okta Workflows console.

The workflows are designed to ensure each request via the IDP (Okta) to Yubico contains all information needed to have the keys shipped to the end user. A secure and encrypted transfer process mitigates any risk of exposing sensitive information.

Workflow: IT Admin and End User

1. The IT admin initiates a shipment request for a pre-registered key from the IDP (Okta) tenant. This triggers the Yubico FIDO Pre-reg Okta Workflows template. All information needed to program and ship a key for an individual user is sent to Yubico through a YubiEnterprise API request. Note that only one key per shipment can be requested.
2. The IT admin receives updates based on the shipping status, and can monitor shipments of pre-registered keys using the YubiEnterprise Console.
3. The end user receives an email containing their YubiKey PIN and their FIDO Pre-reg YubiKey is shipped to them directly. No IDP password or IDP registration is required. The YubiKey PIN is only communicated to the end user and is encrypted and obscured from the IDP (Okta), the IT admin, and Yubico.
4. The end user can immediately use the YubiKey and PIN to authenticate into the IDP (Okta) where they have Single Sign-On (SSO) access to applications to which they have access provided through the IDP.

Workflow: Credential and PIN Provisioning

1. The IT admin initiates a shipment request for a pre-registered YubiKey from the IDP (Okta) tenant.
2. Yubico receives the shipment request from the IDP (Okta) through the YubiEnterprise Delivery (YED) API. Yubico programs a YubiKey with the information provided in the request. The information contains the credential and PIN requests, end-user shipping information, and YubiKey form factor.
3. After the YubiKey is programmed, a response is sent back to YubiEnterprise Delivery (YED) API including the randomly generated PIN, serial number, and firmware version. This response is retrieved by the IDP (Okta) workflows.
4. When the IDP (Okta) workflows receive the response from the YubiEnterprise Delivery (YED) API, the YubiKey is enabled for usage. This triggers an email to the end user containing the PIN for the YubiKey.
5. After the programming of the YubiKey the credential data, including the PIN, is purged from Yubico systems.

Additionally, the YubiKey can be used as a recovery tool for the IDP’s complementary passwordless feature such as Okta FastPass. For example, if an end user loses their phone and gets a replacement one, they can re-enroll in the IDP service using the YubiKey without needing to call their support services.

Viewing Pre-reg Shipments

You can monitor the status of pre-registered shipments for your organization in the All shipments page of the YubiEnterprise Console. Pre-registered shipments are indicated as AUTO FIDO PRE-REG in the Type column in the All shipments page.

To locate a specific pre-registered shipment, do the following:

• Use the Filters function to filter out pre-registered shipments. Click Filters, select Auto FIDO Pre-reg as Type, and click Apply.
• You can also use search in combination with filters to drill down further into the list of shipments. For more information, see Searching Shipments.

Editing Pre-reg Shipments

Just as for other types of shipments, you can update a pre-registered shipment from the Console until it is locked for processing and fulfillment. Shipments that can be edited are indicated with an Edit icon in the Status column of the All shipments page.

You can update the recipient and address information, the delivery type, or you can delete the shipment request. Note that products included in a pre-registered shipment request cannot be modified. For more information, see Editing or Deleting Shipments.

Viewing Customization Information

A FIDO pre-registered YubiKey is considered a customization and therefore Yubico provides each customer with a unique Customization ID. An organization’s Customization ID is required for integrations such as with Okta. To view your organization’s Customization ID, see Customizations.

General Prerequisites

The following sections describe how to integrate Yubico FIDO Pre-reg with IDPs. The instructions are intended for IT admins who are setting up shipments of pre-registered YubiKeys for their end users in an environment with an IDP and SSO.

The instructions assume IT administration skills and knowledge of YubiEnterprise API and the specific IDP. Listed tasks include steps both in the YubiEnterprise Console and the IDP application. Refer to the IDP-specific documentation for details.

Ensure the following is in place before you start integrating Yubico FIDO Pre-reg with your IDP:

• Your company is using a supported IDP (currently Okta).
• YubiKey as a Service Plus plan subscription.
• YubiEnterprise Console access with FIDO Pre-reg enabled.
• Customization IDs and Subscription IDs for the YubiKey models you will be shipping to end users. These IDs are provided by Yubico during onboarding of your organization. For more information, see Customizations.

FIDO Pre-reg with Okta

The following provides an overview of prerequisites and steps to get started using Yubico FIDO Pre-reg with Okta and Okta Workflows. See also General Prerequisites.

Prerequisites

• For an overview of the Okta authentication with pre-enrolled YubiKeys, see Require phishing-resistant authentication with pre-enrolled YubiKey (Okta documentation).
• For an understanding of the Yubico FIDO Pre-reg Workflow integration, see About the Workflow Integration.
• Ensure you have an Okta Identity Engine (OIE) tenant with Adaptive MFA and Okta Workflows entitlements in place.
• In order for users to be able to authenticate with a security key, ensure that FIDO2 WebAuthn is enabled in your Okta tenant. In the Okta Admin Console, configure User verification to use the Preferred option as described in Add the FIDO2 (WebAuthn) authenticator section (Okta documentation).

Note

The FIDO Alliance recommends UV=Required. However, you will need to assess the impact of UV=Required based on your organization’s current settings, as it may impact users across operating systems and browser types if a PIN is not set. Preferred is an option, if you are concerned about blocking other users.

Important

It is strongly recommend to immediately add a backup YubiKey, WebAuthn, or Fastpass enrollment as protection in case the YubiKey is lost.

Integration Procedure

The Yubico FIDO Pre-reg workflow template for Okta is flexible and you can request a pre-registered YubiKey using the following methods:

• MFA initiated - trigger shipments using Pre-enrolled authenticators in Okta Workflows console (for an individual user).
• Group Add - trigger shipments using the Group Add flow in the Okta Workflows console (for an individual user or multiple users).
• Batch requests - use the API to order YubiKeys for multiple users. For more information, see Order pre-enrolled YubiKeys in a batch (Okta documentation).

Select the applicable method for your organization and follow these steps to set up the Yubico FIDO Pre-reg integration and create a first shipment request:

1. Create groups for new and existing users
2. Configure the Okta policies
3. Add the Yubico FIDO Pre-reg Workflow template
4. Configure the workflow connections
5. Add new users to the directory
6. Create a shipment request

About the Workflow Integration

The following describes the integration between the Yubico Connector in Okta and the Okta Workflows. The integration provides the Yubico action cards used to set up the workflows in Okta for requesting shipments and retrieving shipment information. The Yubico workflow integration includes the action cards described below.

Action	Description
Create Shipment Request	Create a new shipment request to provision a YubiKey that will contain a pre-registered WebAuthn credential.
Get Shipment Details	Get details about a specific shipment request, including the shipment state, and shipment items used for the pre-registration of a WebAuthn credential.
Build Shipment Item	Helper action card that builds a “shipment item” used in the “Create shipment request” action card.
Get Public Transport Keys and Signing Certificate	Pull the current public Yubico transport and signing keys used to encrypt the PIN and credential request payloads.

The input and output parameters for each action card are described in more detail in the following. For more information on how to configure workflows, see Configuring Workflow Connections.

When you add a Yubico card to a flow for the first time, you will be prompted to authorize the connection. This requires an API token generated from the YubiEnterprise Console. Once you have configured this connection and saved the API token information to it, you can reuse it for other YubiEnterprise-related actions. For more information, see Generating an Authorization Token.

Action: Create Shipment Request

Action card to create a new shipment request to provision a YubiKey that contains a pre-registered WebAuthn credential.

Note

Product ID and Inventory Product list can be found in the Product inventory type mapping table.

Input - Create Shipment Request

Field	Definition	Type	Req’d
Company	Company name of shipment recipient	Text	TRUE
Email	Email address of shipment recipient	Text	FALSE
First Name	First name of shipment recipient	Text	FALSE
Last Name	Last name of shipment recipient	Text	FALSE
Phone Number	Telephone number of shipment recipient The limit is 40 of the alphanumeric characters “0-9+-( )” unless the country code is IN, in which case the limit is 255. Any format is acceptable, with or without spaces.	Text	TRUE
Address	Street address of shipment recipient Note: This field can also include the apartment or unit number.	Text	TRUE
Apt or Unit Number	The apartment or suite or unit number or designation of shipment recipient.	Text	FALSE
City	City of shipment recipient	Text	TRUE
Region	2-letter region or state code of shipment recipient. Mandatory for recipients in the US or Canada.	Text	FALSE
Postal Code	Zip code or postal code of shipment recipient.	Text	TRUE
Country Code	2-letter ISO country code of shipment recipient.	Text	TRUE
List of Shipment Items	List of items and their configuration details, to be included in this shipment. Note: Use the action card Action: Build Shipment Item to construct this object.	List of objects	TRUE
Customization ID	ID associated with the specific Yubico customization assigned to an organization.	Text	TRUE
Product ID	ID for the YubiKey model.	Number	TRUE
Inventory Product ID	ID for the “bucket” containing credits for YubiKey ordering. Note: This is not to be confused with the serial number on each YubiKey.	Number	TRUE
Quantity	Number of keys to include in this shipment (current limit is 1).	Number	TRUE
PIN Request - Encrypted	Customization options for YubiKey PIN generation, wrapped as a JWE string. This string is the output provided by Okta’s WebAuthn pre-registration enroll endpoint.	Text	TRUE
Credential Requests	PublicKeyCredentialCreationOptions for WebAuthn credential creation, wrapped as a JWE string. This string is the output provided by Okta’s WebAuthn pre-registration enroll endpoint. Note: This input item is noted as a list. This is due to YubiEnterprise’s API schema, which can accept a list of credential requests for provisioning multiple pre- registered WebAuthn credentials.	List of strings	TRUE
Delivery Type	Type of delivery to be used for the request. If unspecified, its default is standard. - 1 (Standard) - 2 (Expedited)	Number	FALSE

Output - Create Shipment Request

Field	Definition	Type
Shipment ID	The shipment ID of the newly created shipment. Value is null for non-successful API response.	Text
Shipment State ID	The shipment state of the newly created shipment. For values, see Shipment State Codes. Value is null for non-successful API responses.	Number

Action: Get Shipment Details

Action card to get details about a specific shipment including the shipment state and the shipment items used for the pre-registration of a WebAuthn credential.

Input - Get Shipment Details

Field	Definition	Type	Req’d
Shipment ID	ID for a specific shipment.	Text	TRUE

Output - Getting Shipment Details

Field	Definition	Type
Shipment State ID	The shipment state of the newly created shipment. For values, see Shipment State Codes. Value is null for non-successful API responses	Number
Shipment Items	List of items included in the shipment. Underlying objects include details for each item.	List of objects
	product_data: Details about a shipment item. Includes: - serial - version - fido_pin_response - fido_credential_response	List of objects
	serial: Serial number of the item	Text
	version: Firmware version of the item	Text
	fido_pin_response: PIN for the item. Is encrypted as a JWE string. This string should be provided to Okta’s WebAuthn pre-registration activate endpoint.	Text
	fido_credential_response: List of FIDO credentials for the item. Is encrypted as a JWE string. This string should be provided to Okta’s WebAuthn pre-registration activate endpoint.	List of strings
	product_id: ID for the YubiKey model.	Number
	inventory_product_id: ID for the “bucket” containing credits for YubiKey ordering. Note: This is not to be confused with the serial number on each YubiKey.	Number
	product_quantity: Number of YubiKeys to include in this shipment (current limit is 1).	Number

Action: Build Shipment Item

Action card that builds a shipment item used in the Create shipment request action card.

Input - Build Shipment Item

Field	Definition	Type	Req’d
Customization ID	ID associated with the specific Yubico customization assigned to an organization.	Text	TRUE
Product ID	ID associated with the specific YubiKey format.	Number	TRUE
Inventory Product ID	ID for the “bucket” containing credits for YubiKey ordering.	Number	TRUE
Quantity	Number of keys to include in this shipment (current limitation is 1).	Number	TRUE
PIN Request - Encrypted	Customization options for YubiKey PIN generation, wrapped as a JWE string. This string is the output provided by Okta’s WebAuthn pre-registration enroll endpoint.	Text	TRUE
Credential Requests - Encrypted	PublicKeyCredentialCreationOptions for WebAuthn credential creation, wrapped as a JWE string. This string is the output provided by Okta’s WebAuthn pre-registration enroll endpoint. Note: This input item is noted as a as list. This is due to YubiEnterprise’s API schema, which can accept a list of credential requests for provisioning multiple pre-registered WebAuthn credentials.	List of strings	TRUE

Output - Build Shipment Items

Field	Definition	Type
Shipment Item	Object that contains configuration details for an item to include in a shipment.	Object

Action: Get Public Transport Keys and Signing Certificate

Action card to pull the current public Yubico transport and signing keys used to encrypt the PIN and credential request payloads.

Input - Get Public Transport Keys and Signing Certificate

No input required.

Output - Get Public Transport Keys and Signing Certificate

Field	Definition	Type
Transport Keys - JWKS	Yubico JWKS (JSON Web Key Set) used for deriving an ECDH shared secret. Primarily used for encrypting the PIN and credential requests for the YubiEnterprise API.	Object
Signing Public Keys - JWKS	Yubico JWKS (JSON Web Key Set) containing signing certificates used for signing PIN and credential responses from the YubiEnterprise API.	Object

Creating Groups for New and Existing Users

In this step you will create groups for new and existing users in Okta. For information on how to do this, see Create groups for new and existing users (Okta documentation).

Configuring Okta Policies

In this step you will configure the Okta policies to support the Yubico FIDO Pre-reg integration.

Global Session Policy

Create a Global Session Policy that is configured to establish the user session with any factor that is not a password. For information on how to do this, see Configure a global session policy (Okta documentation).

Authenticator Enrollment Policy

Authenticator enrollment policies let you manage how and when your end users enroll authenticators, for example to use “WebAuthn Only”. For more information, see Configure an authenticator enrollment policy (Okta documentation).

Adding the FIDO Pre-reg Workflow Template

In this step you will add the Yubico FIDO Pre-registration Okta workflow template to your Okta instance. The template includes flows for example for shipment triggers, shipment processing, and credential mapping.

To add the workflow templates to your Okta instance, do the following:

1. Go to the Okta Workflows Template catalog.
2. Locate the Yubico FIDO Pre-reg Workflow template by searching for “Yubico FIDO Pre-reg” in the search bar within the Okta Workflows console.
3. Click Add Template.

Configuring Workflow Connections

In this step you will authorize and configure the Create shipment workflow connections.

Generating an Authorization Token

When you add a Yubico card to a flow the first time you are prompted to authorize the connection. This requires an API token generated from the YubiEnterprise Console. Once you have configured the connection and saved the API token, you can reuse it for other YubiEnterprise-related actions. For more information, see Generating API tokens.

Creating Connection from Okta Org

Do the following to create the connection from the Okta org:

1. In the Okta Admin console, open Workflows and click Connections > New Connection.

2. Locate and select the Okta connector icon.

3. Add a display name for the connection in the Name field, and provide a description.

   

4. Enter the Client ID and Client Secret values provided in Okta Workflows OAuth.

5. In the Domain field, enter your Okta org domain without https://, for example, company.okta.com. If your org uses a custom domain, enter the custom domain.

6. Click Create.

Creating Connection from Yubico Org

Do the following to create a connection from the Yubico org:

1. If not already done, generate an API token as described in Generating an Authorization Token. Save the API token in a location from where you can easily copy and paste it.

2. In the Okta Admin console, open Workflows and click Connections > New Connection.

3. Locate and select the Yubico connector icon.

4. Provide a display name for the connection in the Connection Nickname field, paste the previously generated API token into the API Secret field.

   

5. Click Create.

Updating the Create Shipment - Group Add Flow

If requesting a pre-registered YubiKey via the Group Add flow, you will need to add customization and product IDs to the Create shipment - Group Add flow as described in the following:

1. In the Okta Admin console, open Workflows, select Flows and open the Create shipment trigger - Group add workflow.

   

2. In the Create shipment page, open the dropdown menu on the Edit Conditions card.

   

3. Update the fields as described below using input values provided by Yubico during onboarding of your organization. Note that in this example, the product_id is “1” for key model YubiKey 5 NFC and “29” for key model YubiKey 5C NFC. For more information, see Product and Inventory Identifiers.

   1. If product_id (for YubiKey 5 NFC): Your Customization ID.
   2. If inventory_product_id: Your Subscription ID.
   3. Else if product_id (for YubiKey 5C NFC): Your Customization ID.
   4. Else if inventory_product_id: Your Subscription ID.
   

4. Click Save.

Shipping Pre-reg Keys to Users

In this step you will add new users for shipments and create a shipment request. In order to make a shipment request, the following information is required for the user, either from the Okta Universal Directory (UD) or from your organization’s HRIS (Human Resources Information System):

• First Name
• Last Name
• Street Address
• City
• State/Province (two-letter format)
• Postal Code
• Country Code
• Primary email
• Secondary email (for onboarding new users to receive a PIN)
• Primary phone number
• Organization

Adding New Users to Directory

The following describes how to add a new user with status “Staged” in Okta. For more information, see Create staged user (Okta documentation).

To add a new user, do the following:

1. In the Okta Admin console, go to Directory > People and click Add person.
2. In the Add Person dialog, enter information as follows:
   • First name, Last name, and Username.
   • Primary email (work email) for active users.
   • Secondary email (personal email used prior to activation for new users).
   • Do not assign the user to any YubiKey groups, this is done later.
   • Set Activation to “Activate later”. This creates the user in status “Staged”.
3. Click Save.
4. On the People page, go to Staged > User > Profile > Edit.
5. Enter the following information required for key shipment: Primary phone, Street address, City, State, Zip code, Country code, and Organization.
6. Click Save.

Creating a Pre-reg Shipment Request

In this step, you will create a Yubico FIDO Pre-reg shipment request. You can create shipment requests either through the Okta Admin console using Okta Groups, or using the API for batch shipment requests. See Integration Procedure.

In this example we will use the Pre-enrolled authenticators option in the Okta Workflows console to create a shipment request.

Note

Only one FIDO Pre-reg YubiKey at a time can be requested for an Okta tenant.

To create a shipment request, do the following:

1. In the Okta Workflows console, ensure the Create shipment trigger - MFA initiated flow is enabled.

   Note

   It is recommended that only one flow at a time be enabled: either the Group Add or the MFA Initiated flow.

   

2. In the Okta Admin console, ensure the user to whom you want to ship the key has a profile in the user directory. If not, create a new user as described in Adding New Users to Directory.

3. Click the profile of the desired user and do the following:

   • If using the Okta Universal Directory (UD) to source the shipping information, ensure this is populated in the user profile.
   • Alternatively, confirm the user’s shipping information is being sourced from an HRIS or other source of truth.

4. In the user profile, click Pre-enrolled authenticators and then click + Add.

   

5. On the YubiKey enrollment and delivery page, enter the Product ID, Inventory ID, and Customization ID provided by Yubico during onboarding. See General Prerequisites.

   

6. On the Yubikey enrollment and delivery page, ensure all required fields are populated: Primary and secondary Email address (PIN will be sent to both), primary Phone number, Organization, and Shipping address.

   

7. If the user’s shipping information is being sourced elsewhere, you will receive a message stating that it is missing. Ensure that the information is retrieved from another endpoint or update the profile values before continuing.

   

8. Click Continue.

9. The Yubico FIDO Pre-reg workflow is triggered and the fulfillment starts.

   

Yubico receives a request for a pre-registered YubiKey. The request contains all information needed to program and ship the key. When the request is fulfilled and the credential is activated by Okta, the randomly generated PIN associated with the YubiKey is emailed to the user’s secondary email address (new user). For existing users, it will be sent to their primary email address.

Note

Once the credential is programmed onto the YubiKey, the challenge and credential data, including PIN, is purged from Yubico systems.

FAQs - FIDO Pre-reg for Okta

• Where can I view the status of the shipment?

  Shipment status can be viewed in the YubiEnterprise Console for your organization. Shipment status can also be viewed in the user’s Okta profile under “Pre-Enrolled Authenticators”. However, this information is pulled from YubiEnterprise Delivery.

• Where do I get the product_id, inventory_product_id, and customization_id?

  Work with your Yubico CSM to obtain these IDs.

• Where do I view errors with the Yubico FIDO Pre-reg template?

  As an Okta Administrator, errors and successes can be viewed in the FIDO Pre-reg Workflow Execution History. For more information, see the Okta Execution History documentation.

• What if my shipment in the Okta Workflows Table is in an error state?

  • If the shipment is in an error state due to an invalid address within the Console, you can manually remove the shipment in the Console.
  • If the shipment is in an error state, but can be fixed, do not duplicate or re-add the entry. Manually change the state from “error” to “ongoing” in the Okta Workflows Shipments table.

• What if the shipment request submitted has an error due to a missing user object field?

  • Review the Execution History for the Create shipment card in the FIDO Pre- reg template to determine the missing object. Navigate to the user object in the Okta Universal Directory (UD) and add the missing input into the appropriate field. Once the required information is provided, make the request again.

  If using an HRIS system, ensure that the user object contains all the necessary user shipping information: Address, city, state, zip code, country code, organization, primary email, secondary email, and primary phone number. Once the required information is provided, make the request again.

  Note

  For organization, the “organization” title may need to be hardcoded in the Okta Workflow card.

• What if I have a custom Okta domain/vanity URL?

  If your Okta organization uses a vanity or custom URL, the Okta Connector and the Okta Device Connector in the Workflows should be configured to use the custom URL. Both the Okta and Okta Devices Connectors will need the custom URL.

• How does the user receive the PIN?

  The user receives an email with the randomly generated PIN to their primary and secondary email addresses listed in the Okta Universal Directory (UD).

• Can the user change a PIN?

  If the forcePINchange flag is set, a user can change the PIN via the Change PIN option in the Yubico Authenticator app. For more information, see Changing the FIDO2 PIN. Force PIN change is a feature of CTAP 2.1 on 5.7 firmware keys only and it must be specified by the customer ahead of time in the custom configuration form.

  Important

  When using the Yubico Authenticator app, ensure you click Change PIN (and not Reset PIN which will wipe the YubiKey).

• Is there a PIN length requirement?

  FIDO Pre-reg YubiKeys are programmed with a 6 digit randomly generated PIN.

• What happens if a user forgets their PIN?

  The only way to reset an unknown FIDO2 PIN is to reset the authenticator entirely. However, this will unregister your YubiKey with all accounts it has been registered with, including their pre-registered FIDO2 credential, necessitating re-enrollment using either FIDO U2F or FIDO2.

  If you have a general idea of the PIN, you can try a workaround that will give you 8 PIN attempts instead of 3 before being locked out. Removing and inserting the key will give you 3 retries each time until you are locked out. Once locked out, your only option is to reset the application.

  Before you do a reset, you should log in to affected accounts and unregister the key you plan to reset. Then make sure you can log back in and modify the account’s two-factor authentication (2FA) settings without your YubiKey. After the reset, you can re-register the key again. Alternatively, if you have a backup YubiKey registered with all of your accounts, you can also use this to log in to modify the 2FA settings.

• What happens if a user accidentally deletes the PIN email or they are unable to retrieve it?

  In the Okta Admin console, the Okta administrator has the option to send the PIN to the user before the user makes their first authentication into the Okta tenant. After the user authenticates with their YubiKey and PIN, the “Send PIN” option is no longer available.

• I see two trigger cards: MFA Initiated and Group Add, why?

  The Group Add trigger is available in order to allow customers to request YubiKeys based on group membership.

• If I initiate a request using the Group Trigger, will I still see it in the user’s Okta profile?

  Yes, the request will be visible in the Okta Admin UI. In the user’s profile navigate to the “Pre-enrolled authenticators” tab.

• I would like to request more than 1 pre-registered YubiKey. How do I trigger a batch Yubico FIDO Pre-reg YubiKey request?

  For information on how to trigger a batch of pre-registered YubiKeys, see Order pre-enrolled YubiKeys in a batch (Okta documentation).

• What if I need to delete a FIDO Pre-reg YubiKey request?

  A request will need to be deleted in the following places: your YubiEnterprise Delivery organization and within the user’s Okta profile on the “Pre-enrolled authenticators” tab. Additionally, it can be removed from the Okta Workflow Pre-reg Shipments table. If not removed from the Shipments Table, on the next process run, the YubiEnterprise API will return a 404 message, and set the status to “error” and not run again.

---

To file a support ticket for YubiEnterprise Delivery, click Support.