This article provides a workflow for identifying and removing YubiKey hardware tokens that have entered a BLOCKED status, which may occur after migrating the tenant to the Okta Identity Engine (OIE).

• Okta Identity Engine (OIE) 
• Multi-Factor Authentication
• YubiKey Authenticator
• API-based Administrative Tasks

• YubiKeys are in a blocked status after the OIE upgrade.
• The user to whom the YubiKey was assigned has since been deactivated or deleted.

To perform a bulk deletion of these tokens, use the Okta Factors API. It is highly recommended to use Postman for this process to ensure accuracy and to handle pagination for larger datasets. See: How to Integrate Postman with Okta.

1. Make a GET call to /api/v1/org/factors/yubikey_token/tokens.
2. Iterate on this via the "next" link in the response headers and output to a CSV file for each iteration until all keys have been exported.
3. In the CSV file, remove all keys that are not in a "BLOCKED" status. 
4. Iterate through each line item in the CSV, making a DELETE call to /api/v1/org/factors/yubikey_token/tokens/${tokenId} where tokenId is the ID entry in the CSV.
5. To verify the results, repeat the first 2 steps and check if any of the remaining YubiKey tokens are in Blocked status.

 If a "Blocked" YubiKey is still physically functional and needs to be reused, it must be re-uploaded with the original (or a newly generated) YubiKey Seed File in the Okta Admin Console after the deletion is complete. Without the seed file, the hardware token cannot be re-enrolled.

Related References

• Configure the YubiKey OTP authenticator
• Yubico Support: Programming YubiKeys for Okta Adaptive MFA
• Attempting to Upload the CSV YubiKey Seed File but Getting an Error Showing Duplicates or Invalid