If you are asking yourself how to get a YubiKey with a preloaded FIDO2 key, is probably because you saw the Yubico and Okta announcement about the new feature that allows you to ship YubiKeys with pre-loaded FIDO2 keys (or maybe you thought of how big of a pain it is to enroll users to FIDO2 keys and came up with a similar solution). This feature is designed to simplify the onboarding process for users by eliminating the need for them to enroll their keys manually. However, this feature is currently only available for Okta customers. If you are an Entra ID user, you might be wondering if you can take advantage of this feature as well.
While the idea of shipping YubiKeys with pre-loaded FIDO2 keys is appealing, it may not be the best approach for all organizations. While at first glance shipping pre-loaded FIDO2 keys looks like it might solve the chicken and egg problem of passwordless, it may just be a band-aid solution rather than the cure. While it may simplify the onboarding process for users, it also raises concerns about security for example how are you ensuring that the person receiving the YubiKey is the person that should be receiving it? How are you ensuring that the YubiKey is not intercepted in transit? and also some business continuity concerns like what happens if the YubiKey is lost or blocked, does the user have to wait 24 hours for the new one to arrive? Do you fall back to passwords in the meantime?
So how can you issue YubiKeys with pre-loaded FIDO2 keys in Entra ID? While Entra ID does not currently offer a built-in feature to ship YubiKeys with pre-loaded FIDO2 keys, we have a better alternative. By leveraging the Keytos EZCMS platform, you can easily manage and distribute YubiKeys WITHOUT any credential pre-loaded on them. Before you yell at me, let me explain. With EZCMS, you can automate the process of issuing YubiKeys to users and guide them through the enrollment process, ensuring that they securely register their FIDO2 and Entra CBA keys with Entra ID. This approach not only ensures a secure and streamlined onboarding process but also provides a more robust and flexible solution that also works for self service FIDO2 and Entra CBA enrollment if the user blocks their key or loses it.
This blog will not be a step by step guide on how to go passwordless in Entra ID but I will give you a high-level overview of how you can use EZCMS to distribute YubiKeys and enable self-service enrollment. The process is simple and straightforward, and it can be broken down into the following steps:
1) Order YubiKeys: Order YubiKeys from Yubico in bulk and have them shipped to your organization. If you don’t want to deal with the hassle of shipping YubiKeys worldwide, you can use the Keytos YubiKey shipping as a Service to have Keytos ship your YubiKeys directly to your users.
2) Setup Your EZCMS Instance: Now that you have your YubiKeys, you can set up your EZCMS instance and configure it to manage your YubiKeys, You can follow this video that gets you up and running in less than an hour.
3) Register Your Inventory: Register your YubiKeys in the EZCMS platform, this will help you keep track of your inventory and ensure that the right YubiKey is assigned to the right user.
4) Users Request Their YubiKey: Now the users can go to EZCMS and request their key (or a key for one of their direct reports to allow managers to request on behalf of new employees). Based on your configuration, either your IT team will assign the key and distribute it to the user, or the Keytos team will take care of that.
5) User Receives the YubiKey: Once the user receives the YubiKey, they can follow the instructions provided by EZCMS to securely enroll their FIDO2 and Entra CBA keys with Entra ID (we do both certificate enrollment and FIDO2 enrollment at the same time to maximize compatibility while keeping it transparent for the user). Watch the process in action below:
6) User Recovery: If the user blocks their key, they can re-register the key themselves no need to contact IT or wait for a new key to arrive. Under the covers, EZCMS will also validate the integrity of the key you can learn more about how we worked with Yubico to make this possible here.
Now you know how to go passwordless in Entra ID and issue YubiKeys at scale. If you still have questions, schedule a FREE consultation with one of our Identity experts today, and we will be happy to help you get started on your passwordless journey.