FAQs
Frequently asked questions around YubiEnterprise Services.
Shipping and Delivery FAQs
Are there any limits or constraints on shipment requests? Yes, see the following:
- Address Validation Every 15 minutes, the system validates addresses; therefore you might have to wait up to 15 minutes to find out if your shipment request has been queued for fulfillment. For more information, see Shipment Status Codes.
- Availability of Stock/Inventory Shipment allocations may be set. For more information, see Shippable Inventory.
- Non-subscription Purchases Shipment requests can be made for up to one year after a PO is submitted.
- Subscription Purchases Availability of products depends on the stock/inventory from which the products are drawn. For more information, see Tier Options.
Can there be unexpected delays in delivery of shipments?
YubiEnterprise Delivery Service is only available during regular business days (weekdays). It is not available on weekends or official holidays, even though there are no time constraints on the creation of shipment requests, which can be generated at any time.
YubiEnterprise Delivery Service is dependent on third parties such as courier services and is therefore impacted by their scheduled holidays.
Yubico tries to provide notification on the Console for delivery delays of more than 2 business days. Please reach out to YubiEnterprise Services Support with any further queries on shipment delivery delay.
Does YubiEnterprise Delivery track YubiKey serial numbers?
For organizations that are using pre-registered keys (FIDO Pre-reg service), a unique serial number is used to identify each pre-registered key. For more information, see Viewing Customization Details.
What Personally Identifiable Information (PII) is retained by Yubico?
Yubico retains data only as long as necessary to operate our business and to comply with statutory and regulatory requirements. We do not use this data for any purpose other than meeting our obligations to our customers (e.g. shipping YubiKeys) and to comply with applicable laws. In accordance with export controls and tax law, Yubico is required to retain shipment data for up to seven years.
What is the data retention policy and how long is data held within the YubiEnterprise Delivery Console before being purged?
Data is kept for seven (7) years to comply with export control and financial legal requirements.
What happens to YubiKeys purchased on a subscription basis after expiry of the corresponding PO/term?
Any keys not shipped are forfeited, but the date of forfeiture or expiry depends on their inventory type: see the first question in this FAQ, “Are there any limits or constraints on shipment requests?”
What happens to YubiKeys purchased outright (perpetual) after one year in inventory?
YubiEnterprise Delivery enables customers to request shipments for up to 12 months after the initial PO. YubiEnterprise Delivery will hold the customer’s inventory, regular or custom keys. When the twelve-month period is up, YubiEnterprise Delivery will ship the remainder of the keys to the original customer address on file. The customer will also be notified 60 and 30 days prior to the period expiry via email.
What taxes will be charged to the customer?
See Shipping.
How will the customer be invoiced for the cost of shipping and taxes or VAT charged on shipping?
See Shipping.
How does Yubico handle customers who are exempt from VAT/sales tax?
See Exemptions.
What is the warranty on keys on a subscription contract?
The warranty is extended to cover the full term of the subscription and applies as long as the subscription is active.
Where is YubiEnterprise Delivery available?
YubiEnterprise Delivery is available in USA, Canada, EU, UK, Norway, Switzerland, Iceland, and Liechtenstein. YubiEnterprise Delivery is not available in EU Overseas Countries or Territories.
Can organizations that already have accounts with FedEX and UPS use those accounts with YubiEnterprise Delivery?
No, at the moment, YubiEnterprise Delivery cannot use customer-provided shipping partner accounts.
Can Yubico’s security keys and YubiKeys be custom programmed by Yubico for a customer?
Yes: the minimum initial order is 10,000 or more, with subsequent orders being at least 5,000.
What reports are available to customers to help better manage their YubiEnterprise Delivery?
YubiEnterprise Delivery customers can log into the YubiEnterprise Delivery Console and access their purchase orders, shipment requests, address book etc. They can also download all their shipment requests and status / tracking numbers over the period.
Our business is based in the US but has locations in Europe. Can YubiEnterprise Delivery support distribution of YubiKeys in this setup?
Yes, this use case is supported. A business headquartered in North America, but having office locations and users in Europe will be able to receive YubiKeys at their respective locations, including residential addresses.
We may need to have several people in the company place orders for YubiKeys. How does YubiEnterprise Delivery satisfy that requirement?
Any individual who has administrative rights to the YubiEnterprise Delivery Console can place orders for keys through the console. Admins can be delegated across locations so that they can best gauge the numbers of users who will need YubiKeys and request shipments all at once, or over time as needed.
What is the maximum number of YubiKeys that can be included in a shipment request?
It depends on the country to which you are shipping. See Delivery Policies.
Can a shipment request be cancelled?
Yes. Shipment requests can be edited or deleted until 2am PST (10am GMT), the day after they were entered. Instructions for this procedure are given in Editing or Deleting Shipments.
What shipping delivery options are available?
Depending on the country being shipped to, one or both of the following will be available:
- Normal (standard) shipping
- Expedited (rush) shipping
For more details, see Time Frames.
What do you do with the
zip_code
field if it is not applicable, for example, for Canada and the EU countries?Leave the
zip_code
field blank and use thepostal_code
field instead.Where do I find official Yubico product images and descriptions?
On Yubico’s Press room images and logos page are the logo and product images.
FIDO Pre-reg with Okta FAQs
Where can I view the status of the shipment?
Shipment status can be viewed in the YubiEnterprise Console for your organization. Shipment status can also be viewed in the user’s Okta profile under “Pre-Enrolled Authenticators”. However, this information is pulled from YubiEnterprise Delivery.
Where do I get the product_id, inventory_product_id, and customization_id?
Work with your Yubico CSM to obtain these IDs.
Where do I view errors with the Yubico FIDO Pre-reg template?
As an Okta Administrator, errors and successes can be viewed in the FIDO Pre-reg Workflow Execution History. For more information, see the Okta Execution History documentation.
What if my shipment in the Okta Workflows Table is in an error state?
- If the shipment is in an error state due to an invalid address within the Console, you can manually remove the shipment in the Console.
- If the shipment is in an error state, but can be fixed, do not duplicate or re-add the entry. Manually change the state from “error” to “ongoing” in the Okta Workflows Shipments table.
What if the shipment request submitted has an error due to a missing user object field?
- Review the Execution History for the Create shipment card in the FIDO Pre- reg template to determine the missing object. Navigate to the user object in the Okta Universal Directory (UD) and add the missing input into the appropriate field. Once the required information is provided, make the request again.
If using an HRIS system, ensure that the user object contains all the necessary user shipping information: Address, city, state, zip code, country code, organization, primary email, secondary email, and primary phone number. Once the required information is provided, make the request again.
Note
For organization, the “organization” title may need to be hardcoded in the Okta Workflow card.
What if I have a custom Okta domain/vanity URL?
If your Okta organization uses a vanity or custom URL, the Okta Connector and the Okta Device Connector in the Workflows should be configured to use the custom URL. Both the Okta and Okta Devices Connectors will need the custom URL.
How does the user receive the PIN?
The user receives an email with the randomly generated PIN to their primary and secondary email addresses listed in the Okta Universal Directory (UD).
Can the user change a PIN?
If the
forcePINchange flag
is set, a user can change the PIN via the Change PIN option in the Yubico Authenticator app. For more information, see Changing the FIDO2 PIN. Force PIN change is a feature of CTAP 2.1 on 5.7 firmware keys only and it must be specified by the customer ahead of time in the custom configuration form.Important
When using the Yubico Authenticator app, ensure you click Change PIN (and not Reset PIN which will wipe the YubiKey).
Is there a PIN length requirement?
FIDO Pre-reg YubiKeys are programmed with a 6 digit randomly generated PIN.
What happens if a user forgets their PIN?
The only way to reset an unknown FIDO2 PIN is to reset the authenticator entirely. However, this will unregister your YubiKey with all accounts it has been registered with, including their pre-registered FIDO2 credential, necessitating re-enrollment using either FIDO U2F or FIDO2.
If you have a general idea of the PIN, you can try a workaround that will give you 8 PIN attempts instead of 3 before being locked out. Removing and inserting the key will give you 3 retries each time until you are locked out. Once locked out, your only option is to reset the application.
Before you do a reset, you should log in to affected accounts and unregister the key you plan to reset. Then make sure you can log back in and modify the account’s two-factor authentication (2FA) settings without your YubiKey. After the reset, you can re-register the key again. Alternatively, if you have a backup YubiKey registered with all of your accounts, you can also use this to log in to modify the 2FA settings.
What happens if a user accidentally deletes the PIN email or they are unable to retrieve it?
In the Okta Admin console, the Okta administrator has the option to send the PIN to the user before the user makes their first authentication into the Okta tenant. After the user authenticates with their YubiKey and PIN, the “Send PIN” option is no longer available.
I see two trigger cards: MFA Initiated and Group Add, why?
The Group Add trigger is available in order to allow customers to request YubiKeys based on group membership.
If I initiate a request using the Group Trigger, will I still see it in the user’s Okta profile?
Yes, the request will be visible in the Okta Admin UI. In the user’s profile navigate to the “Pre-enrolled authenticators” tab.
I would like to request more than 1 pre-registered YubiKey. How do I trigger a batch Yubico FIDO Pre-reg YubiKey request?
For information on how to trigger a batch of pre-registered YubiKeys, see Order pre-enrolled YubiKeys in a batch (Okta documentation).
What if I need to delete a FIDO Pre-reg YubiKey request?
A request will need to be deleted in the following places: your YubiEnterprise Delivery organization and within the user’s Okta profile on the “Pre-enrolled authenticators” tab. Additionally, it can be removed from the Okta Workflow Pre-reg Shipments table. If not removed from the Shipments Table, on the next process run, the YubiEnterprise API will return a 404 message, and set the status to “error” and not run again.
Passwordless Migration FAQs
General
What is passwordless authentication? Passwordless authentication allows you to log in to the YubiEnterprise Console without using a traditional username and password. Instead, you will use a “passkey,” which is a more secure digital credential. See Passwordless Authentication.
Why is the YubiEnterprise Console moving to passwordless authentication?
This change significantly enhances the security of your account and the YubiEnterprise Console. Passkeys are resistant to phishing attacks and eliminate the risks associated with weak or stolen passwords. Passkeys also provide a smoother and faster login experience.
What is a passkey (resident key)?
A passkey is a cryptographic key that is stored directly on an authenticator, such as a YubiKey or your computer/smartphone. When you log in, the website verifies your identity by checking for this key, along with your presence, for example by touching the YubiKey or providing a PIN/biometric on your device. This means your login credential will not travel over the internet in the same way a password does.
Do I need a YubiKey?
By default, YubiKeys will be required for registering your primary passkey. In future phases of the passwordless migration, your organization owner will have the ability to configure policies that may allow other types of FIDO2-compliant security keys or even syncable passkeys. These are synced across systems and devices and considered less secure.
Will I still be able to use my user name and password?
Initially, yes. During the first migration phase, username/password login will remain available. However, password-based logins will be deprecated and you will be prompted to migrate to passwordless authentication. In later phases, migration will become mandatory if you log in with a password.
Migration Process
How do I migrate to passwordless authentication?
After successfully logging in with your username and password, a dialog will appear offering you the option to register a passkey and migrate to passwordless authentication. You can choose to do it then or skip it. The dialog appears after every successful password login until you have registered a passkey and your account has been migrated. See Upgrading to Passwordless.
What happens to my password after I migrate?
Upon successful registration of a passkey, your password credentials will be deleted from the YubiEnterprise Console. You will not be able to revert to username/password-based authentication.
What if I am an SSO-managing user (Console Owner) in the Console?
If you log in via SSO and manage SSO configurations, the migration process for your underlying YubiEnterprise Console account (if it exists and uses a password) will be slightly different. You will be notified about the move to passwordless, and you will be asked to log out and log back in using your username/password (not SSO) for that specific account. Once logged in, the standard migration process will begin.
Are there any users who cannot migrate to passwordless authentication immediately?
Yes. Non-SSO-managing Console users that log in via SSO, and are members of an organization that has fully enabled SSO will not need to migrate to passwordless authentication at this point.
Using and Managing Passkeys
How do I set up my passkey?
You will be guided through the passkey registration process which includes inserting your YubiKey and setting a PIN, if not already done. The registration will be tied to your existing account email, or the email address through which you received an activation link.
Can I have more than one passkey?
Yes, you can register multiple passkeys for your account. It is highly recommended to register at least two in case one is lost or damaged. You must always have at least one passkey registered.
How do I manage my passkeys (add, rename, delete)?
You will be able to manage your passkeys from your user account page. You can add new passkeys, rename existing ones for easier identification, and delete passkeys. See Managing Your Account.
What happens if I add or delete a passkey?
For security reasons, you will receive an email notification whenever a passkey is added to or removed from your account.
What if I lose my YubiKey or it stops working?
This is why registering a back-up passkey is highly recommended. If you lose all your registered passkeys or cannot access your account, contact your organization owner. They can reset your account, allowing you to register a new passkey via an activation link. Alternatively, contact your Yubico account team, or Yubico Support.
What if I have not migrated by the final deadline?
You will be locked out of the YubiEnterprise Console, and you will need to contact Yubico Support. They will provide you with an activation link, which will allow you to register a passkey and regain access to your account.
Who should I contact if I have questions or issues?
Reach out to your Yubico account team or contact Yubico Support if you have any questions or encounter issues during this transition.
To file a support ticket for YubiEnterprise Delivery, click Support.