Reassign blocked YubiKeys to new users

4 years ago

Thank you for contacting Okta . My name is Bogdan, and I will gladly assist you .

The short answer it will be to that if you delete the unassigned/blocked YubiKeys it will not affect the current working users as you only "target" the YubikeKeys that are not used at that time.

If you try to create a new seed file without deleting the invalid/blocked/unassigned YubyKeys you will get the "Seeds are either duplicates or not applicable" error message.

Base on:

YubiKey (MFA)

Click View Report to view a list containing the serial values of all your assigned and unassigned YubiKeys. Alternatively, you can find the same information from the Reports page, under the MFA Usage link.

A report can be run at any time to view:

Active tokens (YubiKeys which are associated with users.)
Blocked tokens (YubiKeys which were once active, but are now either reset by the end user or the Okta admin.)
Unassigned tokens (An unassigned YubiKey has secret values uploaded and is ready to be self enrolled by an end user.)
Names of assigned end users.

Remove a lost, stolen, or invalid YubiKey

A user can be unauthorized from a YubiKey hard token if the token is lost or stolen.
A token is non-transferable and may be replaced. If an end user reports a lost or stolen YubiKey, unassign the token based on its unique serial number by using the same method to remove an unassigned YubiKey.
For auditing purposes, a YubiKey can't be deleted once assigned to a user. Even if it has been revoked or reassigned, it will remain in the report when generated.
A YubiKey must be deleted and re-uploaded to be reassigned to a user.
A YubiKey that has not been assigned to a user may be deleted.
A YubiKey serial can't be removed if it is currently active for a user.

From the YubiKey tab:

Enter the serial number into the Revoke YubiKey Seed field.
Click the Find YubiKey button.
A Delete YubiKey modal appears to verify that you wish to permanently delete the YubiKey.
A confirmation page appears. Click the Done button.

Best Practice: If a lost YubiKey is found, it's a best practice to simply discard the old token. An admin can also reprogram the YubiKey by following the steps within the Programming YubiKeys for Okta file, which can be found in Configuring YubiKey Tokens. This generates a new Configuration Secrets file for upload, and allows the token to be re-enrolled by any end user within the Okta framework.

You have additional questions or concerns I advise you to open a ticket with us using:

Open a case (Administrator permissions required).

Expand Post

User16236156899231727391 (Okta, Inc.)
4 years ago
Thank you for contacting Okta . My name is Bogdan, and I will gladly assist you .

The short answer it will be to that if you delete the unassigned/blocked YubiKeys it will not affect the current working users as you only "target" the YubikeKeys that are not used at that time.
If you try to create a new seed file without deleting the invalid/blocked/unassigned YubyKeys you will get the "Seeds are either duplicates or not applicable" error message.

Base on:
YubiKey (MFA)

Click View Report to view a list containing the serial values of all your assigned and unassigned YubiKeys. Alternatively, you can find the same information from the Reports page, under the MFA Usage link.
A report can be run at any time to view:
Active tokens (YubiKeys which are associated with users.)
Blocked tokens (YubiKeys which were once active, but are now either reset by the end user or the Okta admin.)
Unassigned tokens (An unassigned YubiKey has secret values uploaded and is ready to be self enrolled by an end user.)
Names of assigned end users.

Remove a lost, stolen, or invalid YubiKey
A user can be unauthorized from a YubiKey hard token if the token is lost or stolen.
A token is non-transferable and may be replaced. If an end user reports a lost or stolen YubiKey, unassign the token based on its unique serial number by using the same method to remove an unassigned YubiKey.
For auditing purposes, a YubiKey can't be deleted once assigned to a user. Even if it has been revoked or reassigned, it will remain in the report when generated.
A YubiKey must be deleted and re-uploaded to be reassigned to a user.
A YubiKey that has not been assigned to a user may be deleted.
A YubiKey serial can't be removed if it is currently active for a user.
From the YubiKey tab:
Enter the serial number into the Revoke YubiKey Seed field.
Click the Find YubiKey button.
A Delete YubiKey modal appears to verify that you wish to permanently delete the YubiKey.
A confirmation page appears. Click the Done button.

Best Practice: If a lost YubiKey is found, it's a best practice to simply discard the old token. An admin can also reprogram the YubiKey by following the steps within the Programming YubiKeys for Okta file, which can be found in Configuring YubiKey Tokens. This generates a new Configuration Secrets file for upload, and allows the token to be re-enrolled by any end user within the Okta framework.

You have additional questions or concerns I advise you to open a ticket with us using:
Open a case (Administrator permissions required).

Expand Post

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies