Enroll and manage your YubiKeys at scale

YubiKey management for the high security enterprise

0pass helps you protect any corporate resource with YubiKeys. We make every aspect easy to handle—from credential management to user enrollment. We help your team roll out passwordless authentication for the enterprise.

Talk With Us

Built by a team of security engineers from

Key Enrollment

Let employees enroll YubiKeys themselves

Key Enrollment

Let employees enroll YubiKeys themselves

Key Enrollment

Let employees enroll YubiKeys themselves

Credential Management

Enroll and revoke certificates

Credential Management

Enroll and revoke certificates

Credential Management

Enroll and revoke certificates

YubiKey Configuration

Personalize settings for different users

YubiKey Configuration

Personalize settings for different users

YubiKey Configuration

Personalize settings for different users

Succeed at each step of your YubiKey deployment

Succeed at each step of your YubiKey deployment

Enrolling employees

Want to get thousands of employees using YubiKeys? Let users enroll keys themselves, or IT can enroll on their behalf. The 0pass App enrolls PIV and FIDO2 credentials to YubiKeys in a flow that is simple enough for any user.

Credential management

Bring your certificate authority, like Microsoft AD CS, or use our built-in CA. 0pass issues certificates directly to YubiKeys. When a device is lost, admins can easily revoke the certificate and publish it to the certificate revocation list.

Windows, Mac, Linux, and SSO logins

Use YubiKeys for any access at your company: Windows, Mac, Linux workstations, SSH servers, and SSO providers. We give you tailored, one-time configurations for Active Directory, MDMs, and other infrastructure.

Configuration at scale

We help you enforce the right settings and configurations, such as allowing YubiKeys to authenticate with or without a PIN or Touch. With 0pass you have a central place to manage your keys and keep track of them.

Get the powerful features you need

0pass App

A desktop app with an easy enrollment flow, while orchestrating all the tedious tasks and configurations in the background. Users can enroll via a kiosk or via their own computers, and admins can enroll on behalf of users.

Management Portal

A web app for managing users, their enrolled YubiKeys, enrollment settings, and integrations. Also serves as inventory management, helping admins track and revoke the credentials on YubiKeys.

Certificate Management System

0pass ships a built-in CA or integrates with yours. The certificate management system takes care of the certificate lifecycle: signing certificate requests, handling revocation, and publicizing CRLs.

Try it for free

Ready to get started?

Request access to a demo with a free 30-day trial.

Request free Trial

0pass Platform vs Manual Effort

It's hard to compare the difference between managing the countless minutia involved in a YubiKey deployment, or just using 0pass. Regardless, here's our best shot.

This chart is easiest to read on a larger screen.

With 0pass

Using 0pass for the various tasks and use cases for YubiKey deployments.

Without 0pass

What's involved in doing your own deployment and management of keys.

Logins

Windows login

Mac login

Linux login

SSH

Smart Card Credentials

Enrollment

Time to enroll

NFC Support

Support for multiple keys

CA Binding

Attestation

Multiple certificates

FIDO2 Credentials

Enrollment

Time to enroll

IDP support

PIN and touch settings

Administration

Certificate inventory

Revoking a certificate

Lost keys

YubiKey Settings

PIN Changes

PIN Policy

Touch Policy

PIN unlock and management key

Automatically tie Yubikeys to a user's AD profile, regardless of your CA.

Manually enroll users with CLI tools. Support AD CS or another CA.

Tie Yubikeys to a user's device, allowing them to use it for every unlock or escalation.

Manually enroll users with CLI tools. Support a CA for credentials.

Login to your Linux desktops and servers via CA-bound YubiKeys.

Figure out frustrating PAM configurations to support Yubikeys.

Automatically use your registered credentials to do SSH on any OS.

No support for SSH without manually deploying keys for every user to every server.

Certificates prove authentication came from an authorized YubiKey.

Manually issue certificates and private keys. Download them onto the Yubikey in an insecure way.

10 seconds by end user or admin.

Up to 15 minutes by an admin.

Enroll and manage keys via NFC, not just USB.

Only enroll via USB using YubiKey Manager.

You can enroll any key that is connected over USB or NFC.

You must have only one Yubikey plugged in via USB to enroll a key.

Only certificates issued by your configured CA will be used.

Any certificate can be used.

Prove CSRs were generated onboard YubiKeys via an attestation check.

No proof that the certificate wasn't manually issued or loaded.

Automatically enroll multiple certificates onto your Yubikey for different use-cases.

Manually issue certs and configure EKUs. Load them by hand to each slot.

FIDO2 is enrolled in the same flow as PIV. 0pass integrates with your identity provider.

Separately enroll key for FIDO2 with identity provider.

Add an additional 5-10 seconds.

Add an additional 5-10 minutes.

Plug 0pass into nearly any identity provider.

Keys are enrolled directly with an identity provider that supports FIDO2.

Configure whether PIN is required according to your users or groups.

Only use the defaults supported by your identity provider.

View and manage all employees’ certificates via a web app.

Manually track certificates, serials, and users on a spreadsheet.

Click "delete key" on the employee's profile.

Find certificate in your CA that matches key serial #. Create a revocation request, push to CRL.

Employees or admins delete the key from the 0pass web app by its nickname.

Employees must remember the serial # of the key they lost. Admins follow revocation process.

Users or admins set a custom PIN during enrollment and can change it as needed.

Use default PIN. Change it on YubiKey Manager using the default management key.

Set a custom PIN policy. Use Yubikeys with or without PIN.

Stuck with the default PIN policy: required.

Set a custom touch policy: require a touch, cache it, or require none.

Stuck with the default touch policy: cached.

These values are randomized by 0pass and can be reset on enrollment.

Default values give "God Mode" to anyone with key. Must be changed manually.

0pass Platform vs Manual Effort

It's hard to compare the difference between managing the countless minutia involved in a YubiKey deployment, or just using 0pass. Regardless, here's our best shot.

This chart is easiest to read on a larger screen.

With 0pass

Using 0pass for the various tasks and use cases for YubiKey deployments.

Without 0pass

What's involved in doing your own deployment and management of keys.

Logins

Windows login

Mac login

Linux login

SSH

Smart Card Credentials

Enrollment

Time to enroll

NFC Support

Support for multiple keys

CA Binding

Attestation

Multiple certificates

FIDO2 Credentials

Enrollment

Time to enroll

IDP support

PIN and touch settings

Administration

Certificate inventory

Revoking a certificate

Lost keys

YubiKey Settings

PIN Changes

PIN Policy

Touch Policy

PIN unlock and management key

Automatically tie Yubikeys to a user's AD profile, regardless of your CA.

Manually enroll users with CLI tools. Support AD CS or another CA.

Tie Yubikeys to a user's device, allowing them to use it for every unlock or escalation.

Manually enroll users with CLI tools. Support a CA for credentials.

Login to your Linux desktops and servers via CA-bound YubiKeys.

Figure out frustrating PAM configurations to support Yubikeys.

Automatically use your registered credentials to do SSH on any OS.

No support for SSH without manually deploying keys for every user to every server.

Certificates prove authentication came from an authorized YubiKey.

Manually issue certificates and private keys. Download them onto the Yubikey in an insecure way.

10 seconds by end user or admin.

Up to 15 minutes by an admin.

Enroll and manage keys via NFC, not just USB.

Only enroll via USB using YubiKey Manager.

You can enroll any key that is connected over USB or NFC.

You must have only one Yubikey plugged in via USB to enroll a key.

Only certificates issued by your configured CA will be used.

Any certificate can be used.

Prove CSRs were generated onboard YubiKeys via an attestation check.

No proof that the certificate wasn't manually issued or loaded.

Automatically enroll multiple certificates onto your Yubikey for different use-cases.

Manually issue certs and configure EKUs. Load them by hand to each slot.

FIDO2 is enrolled in the same flow as PIV. 0pass integrates with your identity provider.

Separately enroll key for FIDO2 with identity provider.

Add an additional 5-10 seconds.

Add an additional 5-10 minutes.

Plug 0pass into nearly any identity provider.

Keys are enrolled directly with an identity provider that supports FIDO2.

Configure whether PIN is required according to your users or groups.

Only use the defaults supported by your identity provider.

View and manage all employees’ certificates via a web app.

Manually track certificates, serials, and users on a spreadsheet.

Click "delete key" on the employee's profile.

Find certificate in your CA that matches key serial #. Create a revocation request, push to CRL.

Employees or admins delete the key from the 0pass web app by its nickname.

Employees must remember the serial # of the key they lost. Admins follow revocation process.

Users or admins set a custom PIN during enrollment and can change it as needed.

Use default PIN. Change it on YubiKey Manager using the default management key.

Set a custom PIN policy. Use Yubikeys with or without PIN.

Stuck with the default PIN policy: required.

Set a custom touch policy: require a touch, cache it, or require none.

Stuck with the default touch policy: cached.

These values are randomized by 0pass and can be reset on enrollment.

Default values give "God Mode" to anyone with key. Must be changed manually.

0pass Platform vs Manual Effort

It's hard to compare the difference between managing the countless minutia involved in a YubiKey deployment, or just using 0pass. Regardless, here's our best shot.

This chart is easiest to read on a larger screen.

With 0pass

Using 0pass for the various tasks and use cases for YubiKey deployments.

Without 0pass

What's involved in doing your own deployment and management of keys.

Logins

Windows login

Mac login

Linux login

SSH

Smart Card Credentials

Enrollment

Time to enroll

NFC Support

Support for multiple keys

CA Binding

Attestation

Multiple certificates

FIDO2 Credentials

Enrollment

Time to enroll

IDP support

PIN and touch settings

Administration

Certificate inventory

Revoking a certificate

Lost keys

YubiKey Settings

PIN Changes

PIN Policy

Touch Policy

PIN unlock and management key

Automatically tie Yubikeys to a user's AD profile, regardless of your CA.

Manually enroll users with CLI tools. Support AD CS or another CA.

Tie Yubikeys to a user's device, allowing them to use it for every unlock or escalation.

Manually enroll users with CLI tools. Support a CA for credentials.

Login to your Linux desktops and servers via CA-bound YubiKeys.

Figure out frustrating PAM configurations to support Yubikeys.

Automatically use your registered credentials to do SSH on any OS.

No support for SSH without manually deploying keys for every user to every server.

Certificates prove authentication came from an authorized YubiKey.

Manually issue certificates and private keys. Download them onto the Yubikey in an insecure way.

10 seconds by end user or admin.

Up to 15 minutes by an admin.

Enroll and manage keys via NFC, not just USB.

Only enroll via USB using YubiKey Manager.

You can enroll any key that is connected over USB or NFC.

You must have only one Yubikey plugged in via USB to enroll a key.

Only certificates issued by your configured CA will be used.

Any certificate can be used.

Prove CSRs were generated onboard YubiKeys via an attestation check.

No proof that the certificate wasn't manually issued or loaded.

Automatically enroll multiple certificates onto your Yubikey for different use-cases.

Manually issue certs and configure EKUs. Load them by hand to each slot.

FIDO2 is enrolled in the same flow as PIV. 0pass integrates with your identity provider.

Separately enroll key for FIDO2 with identity provider.

Add an additional 5-10 seconds.

Add an additional 5-10 minutes.

Plug 0pass into nearly any identity provider.

Keys are enrolled directly with an identity provider that supports FIDO2.

Configure whether PIN is required according to your users or groups.

Only use the defaults supported by your identity provider.

View and manage all employees’ certificates via a web app.

Manually track certificates, serials, and users on a spreadsheet.

Click "delete key" on the employee's profile.

Find certificate in your CA that matches key serial #. Create a revocation request, push to CRL.

Employees or admins delete the key from the 0pass web app by its nickname.

Employees must remember the serial # of the key they lost. Admins follow revocation process.

Users or admins set a custom PIN during enrollment and can change it as needed.

Use default PIN. Change it on YubiKey Manager using the default management key.

Set a custom PIN policy. Use Yubikeys with or without PIN.

Stuck with the default PIN policy: required.

Set a custom touch policy: require a touch, cache it, or require none.

Stuck with the default touch policy: cached.

These values are randomized by 0pass and can be reset on enrollment.

Default values give "God Mode" to anyone with key. Must be changed manually.

Deploy passwordless MFA with YubiKeys for any operating system

Windows

Users log in to Windows computers and servers with their YubiKey as a smart card. We provide you with all the tools for passwordless Windows logins with AD and Azure AD.

Mac

Users log in to Mac computers with their YubiKey as a smart card. We provide the necessary configs and credential management for passwordless Mac logins.

Linux

Users log in to Linux machines with their YubiKey as a smart card. We provide configs to support all Linux flavors and credential management for passwordless Linux logins.

How you can get started

Get a free trial and consultation

Chat with a security engineer and see whether we can help secure your environment. You can also set up a demo and access a free 30-day trial.

Access a free trial

Advice from security engineers

See a demo

How you can get started

Let's talk about your use case

Chat with a security engineer and see whether we can help secure your environment. You can also set up a demo and access a free 30-day trial.

Access a free trial

Advice from security engineers

See a demo

How you can get started

Let's talk about your use case

Chat with a security engineer and see whether we can help secure your environment. You can also set up a demo and access a free 30-day trial.

Access a free trial

Advice from security engineers

See a demo