Enterprise YubiKey Pre-registration and Lifecycle Management
Accelerate phishing-resistant MFA adoption with effortless user enrollment and comprehensive admin control.
Challenges with Device-Bound Passkeys
- High Cost: Many enterprises are overwhelmed by the time, cost, and logistics associated with manually provisioning and registering thousands of YubiKeys.
- Complexity: Traditional deployment methods rely on complex self-service enrollment or labor-intensive IT processes, creating friction for users and slowing the adoption of phishing-resistant authentication.
- Overburdened IT Administration: IT teams require a single pane of glass to centralize the management of YubiKeys after pre-registration, reducing reliance on manual tools.
- Audit & Compliance: Enterprises are required to maintain continuous oversight over issued YubiKeys to satisfy regulatory demands.
Yubico FIDO Pre-Registration Experience with Versasec
Streamlined for Admins
Admins can issue a YubiKey on behalf-of-user, eliminating risk, time, and cost overhead associated with self-service registration. Yubico handles the customer inventory and delivery to end-users eliminating the need to manage inventory.
- Admin Starts Order: Admin selects a user and credential template in vSEC:CMS.
- Order Submission: vSEC:CMS prepares and submits the order to Yubico for manufacturing and shipping.
- Admin Notification: vSEC:CMS tracks and notifies the Admin of shipping, delivery, and YubiKey activation status.
Effortless for Users
Users receive pre-registered YubiKeys shipped direcly from Yubico, enrolled in the organization’s Identity Providers (IdP), eliminating the need for insecure and complex self-enrollment. Enjoy secure, passwordless phishing-resistant access to online accounts within minutes.
4. YubiKey Delivery: The user receives the registered YubiKey shipped directly to them.
5. PIN Activation: The user receives a separate PIN according to company policies.
6. Authenticated: Within minutes, the user is authenticated, enjoying secure, phishing-resistant access. No self-enrollment required.
1. Admin Starts Order
2. Order Submission
3. Admin Notification
4. YubiKey Delivery
5. PIN
6. Authenticated
Streamlined YubiKey Lifecycle Management with Versasec
Manage the complete lifecycle, not just registration. Maintain control in every phase of the YubiKey lifecycle with automated workflows and no-code integrations.
Highlights for YubiKey Lifecycle Management
- Full Control: Manage user PINs, easily revoke lost or stolen tokens, and access comprehensive audit and reporting capabilities.
- Hybrid Deployment: Seamlessly manage and enforce policies for both PKI and FIDO2 side-by-side, protecting existing investments and ensuring a high level of authentication for your whole IT infrastructure.
- IdP Agnostic: Supports enrollment of passkeys in one or multiple Identity Providers (IdPs) from one central interface (e.g., Entra ID, Okta, Ping Identity, etc.).
Built for Enterprise Security Mandates
This solution is designed for medium and large enterprises, government organizations, and highly regulated industries who are ready to scale their security.
- Pursuing Zero Trust: Actively pursuing a passwordless MFA or Zero Trust framework.
- High Volume Deployment: Need to deploy high volumes (from hundreds to multiple thousands) of YubiKeys.
- Hybrid Workforce: Operate in hybrid environments where employees work from home or remotely.
- Compliance Focused: Require centralized audit trails and compliance.
Solution Brief: Secure Your Enterprise with Pre-registered YubiKeys and Complete Enterprise Lifecycle Management
FAQs
No. With Yubico FIDO Pre-registration and Versasec, you can pre-register YubiKey tokens only for FIDO use cases. Certificate Authority (CBA) enrollment occurs after the user receives the token, using vSEC:CMS User Self-Service application or vSEC:CMS Admin console. Importantly, vSEC:CMS allows you to manage FIDO and PKI side-by-side.
The organization can initiate passkey creation with any IdP supported by Versasec. Currently, vSEC:CMS supports Entra ID, Entrust IDaaS, Ping Identity (Pingone and PingID), Okta, STA, and Gluu. Furthermore, within vSEC:CMS, passkeys can be enrolled for one token across multiple IdPs.
This solution is designed for medium and large enterprises, government organizations, and highly regulated
industries who:
- Are actively pursuing a passwordless MFA/Zero Trust framework.
- Operate in hybrid environments where employees work from home or remotely.
- Need to deploy high volumes (from hundreds to multiple thousands) of YubiKeys.
- Are overwhelmed by manual administration and require centralized audit trails and compliance.
- Must secure YubiKeys at every stage of its lifecycle and could use automation workflows.
Versasec offers many migration paths (wizard) from other credential management systems (CMS or SCMS). We also provide pre-built paths for:
- Microsoft MIM/FIM migrations
- Thales SafeNet Authentication Manager (SAM) identity and access card management system
- Gemalto DAS / IDAdmin 100 smart card management tool
To migrate to vSEC:CLOUD, customers do not need to be on vSEC:CMS, but can migrate directly from any other CMS/SCMS.
vSEC:CLOUD is a service of our credential management software vSEC:CMS. Fully subscription based and deployed in a virtual private cloud, Versasec will manage server hosting and upgrades for customers of all sizes.
Schedule Your 1:1 Strategic Consultation
Align Your Identity Strategy with Your Business Goals
We invite Security leaders to book a one-on-one consultation with Versasec experts. Discover how vSEC:CMS and vSEC:CLOUD can solidify your infrastructure and provide a security framework that scales.
Secure your infrastructure. Scale with confidence. Speak with an expert in your region (Select your preferred language and time zone after registration).