Deploy YubiKey hardware MFA devices faster with ID proofing workflows, single step secure encoding, an automatic reporting manager and self-service dashboards.
IdExchange provides enterprise capabilities not available in traditional YubiKey manager software
IdExchange is a private platform that is easy to install in your cloud that provides easy-to-use wizards, auditable workflows, and direct PKI integrations to drastically make it easier for organizations to issue YubiKey devices across a large enterprise.
ID Proof
Perform ID proofing prior to issuance to make sure the YubiKey is being deployed and associated with the correct person.
Encode
IdExchange uses the secure channel protocol to change card management keys and loads certificates with a single button push.
Report
A enterprise reporting dashboard helps you keep track of issued YubiKey devices for performance and compliance needs.
Maintain
Provide post management services to enable users to change their PIN, update certificates, or replace their YubiKey.
| Features at a glance | ||
|---|---|---|
| WORKFLOW | TECHNICAL | REPORTING |
| Identity proofing | Custom CSR | Chain of trust |
| Device Verification | Custom FIDO | Enterprise reporting |
| Workflow approvals | Key attestation | Device Inventory |
| Device Unlock | Management key changed | Aging |
| Remote Issuance | Single Step OTP consolidation | Officer Action |
Designed to Accelerate YubiKey Deployment
From PKI automation to remote issuance models, IdExchange enhances the YubiKey Manager with the tools and control to scale your YubiKey deployment with speed.
Single Step Certificate Loading
Tap in to the YubiKey Manager APIs to streamline certificate issuance. Provide custom data for subject alternative names, email addresses and certificate expiration dates to generate the perfect certificate for your MFA use case.
Automated Device Security
Ensure your YubiKey devices are locked down by automatically switching their default management keys with secure keys from your HSM.
Self-service tools
The IdExchange self service portal makes it easy for your workforce to encode their YubiKey from anywhere they are located…even directly from a mobile phone.
ID System Synching
Eliminate manual retrieval of identity data and instead automatically pull the information using our directory, PKI, and MFA integrations to issue custom YubiKey FIPS credentials.
Do you need to issue YubiKey devices soon?
We would love to help. We know seeing is believing so schedule a virtual demo to see just how easy it is to encode a YubiKey.
Schedule YubiKey Demo
Focused on Secure Productivity
Multi-person controls, easy to use wizards, and simple to install software provides your workforce convenient and secure ways to encode their YubiKeys.
Self Service
The IdExchange self service portal makes it easy for your workforce to encode their YubiKey from anywhere they are located…even directly from a mobile phone.
Mobile Remote
The IdExchange self service portal makes it easy for your workforce to encode their YubiKey from anywhere they are located…even directly from a mobile phone.
Self Service
Mobile
Helps Improve Existing Smart Card Programs
Add an easy-to-use form factor, mobile capabilities, and new authentication protocols, to an existing smart card infrastructure with no disruption risk.
Improve your current hardware MFA investments with the newest devices that support the widest range of authentication options while also ensuring compatibility with existing PKI infrastructure. Enable current card holders to easily issue their own YubiKey with the security processes defined by NIST.
PIV Registration
Yubikey FIPS Device Registration
In the demonstration below, a PIV credential holder will register their Yubikey FIPS device in accordance with the NIST 800-157 derived credential requirements. They will first authenticate with their PIV credential, secure their Yubikey device and then register the Yubikey device for approval.
Device Issuance
YubiKey FIPS certificate collection
In the demonstration below, the PIV credential holder will load their Yubikey FIPS device with the certificate. This process occurs after the user’s supervisor has approved the user to use their Yubikey. After the certificate is loaded into the Yubikey, the user can begin using their Yubikey as a AAL MFA credential.
FIPS Support
YubiKey FIPS Support
IdExchange supports the issuance and management of the Yuibkey FIPS device for organizations that require NIST SP800-63B authenticator assurance level 3 (AAL3) hardware devices.
- Derivation and insertion of new secure management keys and PUK values
- Generation and loading of certificates
- Device verification and chain of custody
- Certificate renewal
- PIN change
FAQ
Frequently Asked Questions
Q: How will the credentials be encoded onto the Yubikey?
A: The IdExchange system will instruct the Yubikey token to generate the key pairs within its FIPS 140-2 hardware chip. Next, IdExchange will send the public key to be signed by the certificate authority. Finally, IdExchange will load the certificate onto the Yubikey token to complete the credential generation process.
Q: How can I view certificates from my Yubikey?
A: The certificates be viewed using the Yubikey utilities or by using the Microsoft Certificate Snap-In.
Q: Can I export my credentials to PFX?
A: No, IdExchange will set the certificate to non-exportable. The reason this occurs is so that the key pairs only ever remain on the Yubikey token.
Q Do I need existing credentials to activate my Yubikey?
A: Yes, you must first be verified before the credentialing process takes place. Once initial verification is complete, you are granted a temporary credential that will allow you to log in and encode the Yubikey. Once the Yubikey is encoded, the Yubikey will serve as the credential.
Q: Can Yubikey replace my PIV card?
A: In PIV and PIV-I settings, Yubikey can be issued as a derived credential to compliment the PIV credential. In PIV-C, the Yubikey can serve as main PIV credential to give organizations the option of using Yubikey instead of PIV card.
Q: Do I need to install Yubikey drivers on all of the machines I use the key with?
A: Since Yubikey is based on the PIV standard, once a Yubikey is encoded with a certificate, there are no additional drivers or software to install.
Q: What if I lose my Yubikey?
A: When your Yubikey is lost, you can contact the help desk to report the lost device. When this happens, the certificates on the Yubikey are revoked so the Yubikey can no longer be used for authentication. Next, the help desk will send you a new Yubikey to be encoded.
Q: How do I set my PIN/ Change?
A: The IdExchange application will allow you to change your Yubikey PIN. Additionally, the Windows tools can permit a PIN Change.