An inside look at Yubico’s transition to passwordless

Ben Eichorst

Ben Eichorst

6 minute read

Before “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses. 

As long as it’s been possible, Yubico has implemented FIDO2 based methods as a second factor – now can we proudly say that the company operates with completely passwordless authentication for its core business services. This post highlights some of the high level challenges and successes for that project. 

The transition away from passwords requires quite a few changes. For Yubico, this included a change in our core workforce Identity Provider (IdP) to a new provider, changes in identity process, and a few shifts in the way that our users think of daily authentication. We also took the opportunity to improve functionality in Yubico’s central workforce identity systems, focusing on a few key areas:

  • Centralized passwords 
    • Passwords were the first and simplest form of authentication – easy to implement and familiar to users. But despite improvements like encrypted storage, centrally stored knowledge factors still have fundamental limitations. 
    • If a password is complex enough to evade brute force techniques, then it’s nearly impossible to remember. Most of us need a password manager to help us create sufficiently random, complex, and lengthy passwords. Multi-factor authentication (MFA) methods shore up weaknesses in passwords, but create slightly more work for the end user to log in. Migration to modern authentication techniques streamlines logging into systems while reducing user burden and improving security. 
  • Out of sync directories
    • Most services have their own system of users, groups, and profile parameters, which quickly become outdated without careful (and in most cases, manual) management. While federation protocols such as OIDC and SAML2 streamline authentication, a service’s native directory supports user organization, authorization, and general user experience. Today’s business requires near instant updates and directory propagation across a wide family of business-grade services. 
  • Burdensome manual tasks
    • Manual tasks like password resets, system directory parameter synchronization, and user lifecycle management take up valuable hours of system administrator time that they could be spending elsewhere. Automation of these tasks requires a flexible, yet accessible, automation framework that was not available in our prior IdP. 

To address these and other identity challenges, Yubico migrated to a solution that combines FIDO-backed YubiKeys as an authenticator with Okta Identity Engine (OIE) as an IdP. We have already seen improvements in the strength of authentication, directory synchronization, and valuable time saved.

  • Improving the strength of every authentication 
    • When users login through Okta at Yubico, that authentication is now passwordless. Through the use of YubiKeys, user credentials are phishing-resistant, hardware-backed, and platform agnostic. Passwordless (passkey) authentication eliminates the need for users to generate, remember, or store their account password in a password manager. It maintains multi-factor authentication by requiring PIN entry and touch-presence directly on the YubiKey. 
    • By implementing AAGUID authenticator enrollment policies in Okta OIE, user credentials at Yubico must reside in a YubiKey. This guarantees that passkeys reside within a secure hardware element, and eliminates the risk that the credentials will be accidentally copied between synchronized devices. 
  • Improving the quality of directories between systems 
    • Adoption of Okta’s OIE allows for a wider array of third party products to synchronize  their directories through SCIM, a protocol that automates directory replication between separate systems. Parameters that were previously updated manually such as group membership for users or a profile attribute update like a user’s direct manager are now automatically updated, reducing IT hours spent manually synchronizing this data. 
  • Time saved for end users
    • Passkeys have saved our IT support and security teams significant effort and time. We have seen a ~95% decrease in credential reset requests as our users no longer have to work with lost, forgotten, or compromised passwords. Credentials are now anchored in a high assurance physical device: a YubiKey. Federated sign on has decreased risk through eliminating recycled passwords, and password complexity policies are no longer needed to ensure quality of credentials to our most sensitive corporate systems. 

This transition would not have been possible without thorough planning and strong partnership between our IT and security teams, as well as all of our business units. There are a few factors that will help any company looking to successfully transition away from passwords and work with passwordless authentication: communications, decoupling user actions, and revisiting internal standards. Let’s break down best practices for each:

  • Ensure stakeholder communications
    • Passwordless authentication is a shift in habits for all users of a system, including administrators and systems architects. Start with gathering feedback and coordinating a communications plan that involves all stakeholders in your project. Honest communication coupled with setting expectations up front will pay dividends. 
  • Decouple hard cutovers
    • When possible, soften transitions for users. If two IdPs can remain active while maintaining strength of authentication, keep both active for a time. These windows allow for everyone to accomplish your project on their timeline before a known due date. 
    • Placing a time window on actions such as credential enrollment and SSO cutover to downstream services reduces business risk and provides a built-in rollback plan. Soft cutovers also enable your team to build trust by being the first group to adopt new technologies and work through edge cases before you require your customers to do so. 
  • Revisit your identity procedures and standards
    • Transitioning identity systems is the ideal time to revisit existing user naming and profile schemas and group schemas. Redesign of the schemas will reduce confusion in automatic group assignment, ease communications for your leaders, and can eliminate manual group assignment by managers. Take the time to examine your break-glass procedures and admin controls as they can also be improved. 

While the transition to passwordless authentication can at first seem daunting, it has reduced overhead, streamlined user authentication. A move to passwordless authentication can significantly reduce one of the largest risk factors in any business: Passwords. 

Interested in learning more about how to go fully passwordless with passkeys? Check out how Okta became a phishing-resistant enterprise with YubiKeys here and in our webinar.

,
Talk to our teamTalk to our team

Share this article:
  • Mission matters – my reflections on winning the EY World Entrepreneur of the Year “This is the biggest mission any of the entrepreneurs have presented in this competition.”  I heard these words a few weeks ago from one of the judges for the EY World Entrepreneur of the Year award program – whom I had the honor to meet during the final step of the world’s largest entrepreneur competition.  […]Read moreawardsFounderStina Ehrensvard
  • Yubico recognized by TrustRadius 2025 Award for top customer reviewsAs AI-driven cyber threats like credential phishing evolve and grow in complexity, phishing-resistant YubiKeys are an important component toward cyber resilience — and our mission to make the internet more secure has never been more critical. To support this, customer feedback is something we take very seriously and is an invaluable tool to ensure we’re […]Read moreawardsTrustRadius
  • CEO Corner: Maintaining stable growth while navigating global uncertaintyAs we officially close out the first quarter of 2025,  I am pleased we saw a quarter with solid growth and profitability along with ongoing demand for phishing-resistant authentication. We continue to see new types of high-profile cyber attacks appearing regularly, and a major reason for the success of phishing attacks is stolen credentials. As […]Read moreCEOCEO CornerEarningsMattias Danielsson
  • surface blog crownMicrosofts Surface Pro 10 möjliggör NFC-baserad lösenordsfri inloggning med YubiKeys, för företagDra fördel av det långvariga samarbetet mellan Microsoft och Yubico genom att distribuera YubiKeys tillsammans med den nya Surface Pro 10 enheten för ditt företag. Read morenfcpasswordless