Yubico FIDO Pre-reg with Okta makes passwordless onboarding easy

Last week at Oktane 2023, Okta and our integration partner Yubico jointly announced the FIDO Pre-reg service — marking an important milestone in the fight against phishing.

In short: By eliminating the need for admins to register hardware keys manually to members of the workforce and directly delivering the pre-registered keys to employees, the new Yubico FIDO Pre-reg service empowers organizations to introduce the most secure form of phishing-resistant MFA at scale by equipping each new team member with a ready-to-go YubiKey on their first day.

With Okta as Yubico’s inaugural FIDO Pre-reg Identity provider (IdP) partner, it’s now easier than ever for organizations to combine YubiKeys with Okta Adaptive Multi-Factor Authentication for the strongest level of authentication assurance.

To help you understand why we’re so excited about Yubico FIDO Pre-reg, we’ll explain why eliminating passwords — wherever possible — should be a priority for every organization.

Passwords cause problems

In response to stronger perimeter defenses and internal controls, threat actors have focused considerable effort on Identity-related tactics, techniques, and procedures (TTPs). In fact, according to the 2023 Verizon Data Breach Investigations Report, 74% of breaches are caused by stolen credentials — a figure that rises to 86% for web application breaches.

At this problem’s core is the inherent weakness of passwords as security factors: Unlike inherence factors (e.g., biometrics) or possession factors (e.g., hardware key), passwords can be stolen during intrusions (and subsequently sold) or guessed.

Organizations have long recognized that moving to secure, passwordless access to online accounts significantly reduces cyber risk. For this reason, many have already adopted YubiKeys, which are proven to deliver strong, phishing-resistant multi-factor authentication (MFA) that stops account takeovers (ATOs) — an element of many attacks — in their tracks.

However, it can be challenging for organizations to enable the use of a hardware key on a new employee’s first day and to introduce hardware keys at scale — ultimately limiting their adoption. For example, our own Secure Sign-in Trends Report revealed that less than 4% of workforce users have adopted phishing-resistant authenticators, such as Okta FastPass and FIDO2 WebAuthn-based hardware keys — despite such authenticators demonstrably being more secure and user friendly than other options.

 

 

Highest assurance passwordless authentication made easy

By providing fast, out-of-the-box FIDO activation through YubiKeys purchased as part of a Yubikey as a Service program, the Yubico FIDO Pre-reg service makes it easy for any organization — of any size and complexity — to implement phishing-resistant MFA.

For example, setting up a new team member is:

  • Easy for admins: When an administrator adds a new employee to Okta, they will also add them to a YubiKey MFA group. Behind the scenes, Okta Workflows automatically populates the shipping address using information from your HR system.
  • Easy for the employee: Yubico sends the new employee the YubiKey, which is pre-enrolled with the employee's credentials; additionally, the employee is provided their PIN separate from the shipped YubiKey. Upon inserting their YubiKey, entering their PIN, and tapping the YubiKey, the new employee is authenticated via secure FIDO2 credentials - allowing them to quickly and securely access birthright applications and other resources on day one!

Crucially, the same approach can be applied at scale, allowing organizations to roll out YubiKeys across the entire workforce.

Plus, YubiKeys can be used as the primary, step-up, or backup authentication method in conjunction with Okta Adaptive MFA, ensuring secure user access to any enterprise application at any time while minimizing the friction that can stifle productivity and contribute to user frustration if only one authenticator is registered for the user.

Together, with Okta, we will continue to work towards enabling companies of all sizes to adopt a more robust security posture – making the journey and adoption toward modern MFA and phishing-resistance as easy as possible for the IT professional all the way to the end-user.

Update: As of July 2024, Yubico FIDO Pre-reg with Okta is now in Early Access, with General Availability coming in November. Learn more about how the Yubico and Okta partnership can help your business here.