Articles

Okta Security Keys: Hardware MFA with YubiKey (2026)

April 18, 2026 5 min read

Okta’s integration with YubiKeys for hardware MFA is surprisingly flexible, allowing you to treat them not just as a second factor, but as a primary authentication method for specific use cases.

Imagine a scenario where a user needs to log into a sensitive application. Instead of typing a password and then a code from an app, they simply tap their YubiKey. This interaction, when configured correctly, bypasses the password entirely for that specific login flow.

Here’s a peek at how Okta handles a YubiKey authentication request. When a user attempts to log in and their YubiKey is the configured primary factor for that application or their account, Okta doesn’t immediately prompt for a password. Instead, it sends a request to the user’s browser or application, signaling that a FIDO2 (or U2F) authentication challenge needs to be performed. The browser, in turn, communicates with the YubiKey via USB, NFC, or Bluetooth. The YubiKey performs a cryptographic operation using its private key (which never leaves the device) and sends the signed response back to the browser, which then forwards it to Okta. Okta verifies this signature against the public key it has on record for that specific YubiKey, and if valid, grants access. This whole dance happens in milliseconds, with the user only needing to touch their YubiKey.

The core problem Okta and YubiKeys solve is the inherent weakness of passwords and the user experience friction of traditional MFA. Passwords are prone to phishing, credential stuffing, and brute-force attacks. TOTP apps, while better, still require an attacker to compromise a second device or trick the user into revealing the code. Hardware security keys like YubiKeys, by relying on public-key cryptography and requiring physical presence, are highly resistant to phishing and remote attacks. They also streamline the login process for users once set up.

Okta allows you to configure YubiKeys in several ways:

  • As a primary factor for passwordless authentication: This is the most impactful configuration. You can designate a YubiKey as the only factor required for login to specific applications or for the entire Okta tenant. This is typically achieved using FIDO2 WebAuthn.
  • As a secondary factor: This is the more traditional MFA setup where a user first enters their password and then is prompted to use their YubiKey.
  • As a recovery factor: In case a user loses their password or other MFA methods, a registered YubiKey can be used to regain access to their account.

Let’s look at a common setup: enabling passwordless login for a specific application.

Scenario: Enabling Passwordless Login for "Internal CRM" with YubiKey

  1. Enrollment: The user must first enroll their YubiKey in Okta. This is done through the Okta End-User Dashboard under "Security Methods" > "Add Security Key". They’ll be prompted to insert their YubiKey and touch it. Okta registers the public key from the YubiKey.

  2. Application Configuration: In the Okta Admin console, navigate to Applications > Applications. Find your "Internal CRM" application.

    • Go to the Sign On tab.
    • Under "Sign On Policies," click Add policy.
    • Give the policy a name, e.g., "CRM Passwordless YubiKey Policy".
    • Under "Rules," click Add Rule.
    • Name the rule, e.g., "Require YubiKey for Passwordless".
    • Set "User must authenticate with" to Security Key.
    • Under "AND," add a condition: User’s security key is (Any).
    • Set the "Prompt for" to Never (this is crucial for passwordless).
    • Assign the policy to the "Internal CRM" application.

  3. User Experience: When a user assigned this policy tries to access "Internal CRM," Okta will directly prompt them to authenticate with their registered YubiKey, bypassing the password prompt entirely.

The exact levers you control are primarily within Okta’s Sign On Policies and Authentication Policies. For FIDO2 (passwordless) specifically, you’re configuring the order and type of factors required.

  • Sign On Policies: These determine what factors are required for an application. You can set up multiple policies and assign them to different applications or groups.
  • Authentication Policies: These are more granular and can be used to define the behavior of MFA prompts, like how often a user needs to re-authenticate or which factors are allowed. For passwordless, you’re essentially telling Okta to only expect a FIDO2 key and to not prompt for anything else.

Here’s a concrete example of an Authentication Policy rule that prioritizes a FIDO2 key for a specific group:

In the Okta Admin console: Security > Authentication Policies.

  • Create a new policy, e.g., "Passwordless App Access Policy".
  • Add a rule: "Primary FIDO2 Login".
  • User must authenticate with: Select Security Key.
  • AND: Add condition User’s security key is (Any).
  • Prompt for: Select Never (for passwordless).
  • Session lifetime: Set to your desired duration (e.g., 8 hours).
  • Ensure this policy is applied to the relevant applications or user groups.

The most surprising thing about Okta and YubiKey passwordless is how easily it can be deployed to bypass passwords entirely for high-security applications. It’s not just an add-on; it can be the primary authentication mechanism. This involves carefully crafting your authentication policies to explicitly state that a FIDO2-compliant security key is the only required factor, and crucially, setting the prompt frequency to "Never" for that specific rule. This tells Okta to directly challenge the security key without any prior password authentication.

The next concept you’ll likely explore is how to manage YubiKey lifecycle events, such as lost or stolen keys, and how to implement robust recovery processes that don’t compromise security.

Want structured learning?

Take the full Okta course →