New Okta and Yubico integration delivers phishing-resistant authentication at enterprise scale
In October 2023, Okta and our integration partner Yubico jointly announced Yubico FIDO Pre-reg, which delivers pre-enrolled YubiKeys for phishing resistance and a streamlined passwordless onboarding experience for enterprises.
Following several months of Early Access to select customers and continued investments, this first-to-market service will reach Generally Available status in November 2024, marking an important milestone to deliver end-to-end phishing resistance from onboarding, and authentication to account recovery.
As the inaugural Yubico partner for this new integration, Okta enables organizations to integrate FIDO credentials on YubiKeys seamlessly with Okta Adaptive Multi-Factor Authentication (MFA). This enables the highest level of authentication assurance and passwordless from the start.
Fighting phishing has never been easier
Phishing-resistant MFA that leverages hardware keys has long been recognized as a security best practice. But implementing this approach at enterprise scale presented logistical challenges including manually registering hardware keys and subsequently delivering these keys to the extended workforce.
Unfortunately, such inefficiency is the enemy of adoption: Our own Secure Sign-in Trends Report 2023 revealed that less than 4% of workforce users have implemented phishing-resistant authenticators, such as Okta FastPass and FIDO2 WebAuthn-based hardware keys.
Phishing-resistant onboarding in action
Yubico FIDO Pre-reg with Okta removes the logistical hurdles, making it easy for enterprises to implement phishing-resistant authentication that safeguards critical moments in the employee lifecycle — from initial onboarding, through everyday authentication, to account recovery.
Let’s look at one use case. When an administrator adds a new employee to Okta, they also add them to a YubiKey MFA group. Behind the scenes, Okta Workflows automatically populates the shipping address using information from the HR system.
The user receives a security key that is pre-registered with Okta by Yubico during production and, separately, a PIN. Upon inserting their YubiKey, entering their PIN, and tapping the YubiKey, the user is authenticated via secure FIDO2 credentials — allowing them to quickly and securely access birthright applications and other resources on day one.
Importantly:
- The high degree of automation makes this approach efficient and practical at enterprise scale, allowing organizations to roll out YubiKeys across the entire workforce.
- YubiKeys can be used as the primary, step-up, or backup authentication method in conjunction with Okta Adaptive MFA, ensuring secure user access while minimizing friction.
In the past, security and convenience — both for administrators and for users — were often at odds: Emphasizing one came at the expense of the other.
Today, technologies such as passkeys and now, Yubico FIDO Pre-reg with Okta, are eliminating such tradeoffs. Doing so makes it much easier for organizations to fully adopt end-to-end phishing resistance and roll out phishing-resistant authenticators, like YubiKeys, across the organization for enterprise users.
If you’d like to start using this integration, you can still sign up for Early Access by contacting your Okta account representative or visiting our support center.
And if you’d like to learn more about Yubico FIDO Pre-reg, be sure to register for the upcoming Oktane 2024 session: Create phishing-resistant users and go passwordless with Yubico.