Last updated on August 1, 2025
Strong authentication should empower your workforce, not burden it. Therefore, the Rublon Admin Console lets administrators enroll FIDO security keys and FIDO passkeys for employees. The result is a friction-free rollout of phishing-resistant multi-factor authentication (MFA) that aligns with even the most rigorous security policies.
How the Admin FIDO Enrollment Works
Here’s how an administrator can enroll a FIDO authenticator for a user:
- Select the user in the Admin Console and click Add Security Key.
- Complete the brief enrollment with the physical key or passkey.
- Distribute the key (or the passkey) to the user.
From the user’s perspective, the next sign-in looks exactly like any other Rublon MFA sign-in via user-enrolled FIDO authenticator; the new hardware key or passkey is already listed and ready to use.
Business-Level Benefits
| Benefit | Why It Matters to the Organization |
|---|---|
| Stronger Policy Enforcement | Enforce a “no self-enrollment” stance while still deploying phishing-resistant authenticators company-wide. |
| Zero-Touch User Experience | Users skip self-enrollment, which reduces support tickets and accelerates productivity. |
| Complete Key Lifecycle | Help desk can both delete and replace FIDO authenticators from a single pane of glass, cutting recovery time if a key is lost. |
| Lower Capital Expenditure | Pair admin enrollment with low-cost passkeys in a password manager (e.g., 1Password, Dashlane, Bitwarden, NordPass) instead of purchasing physical tokens. |
| Audit-Ready Metadata | FIDO authenticator entries in the Admin Console expose detailed information like credential data and device specification, providing concrete evidence during compliance audits. |
Typical Use Cases
| Scenario | Outcome |
|---|---|
| Highly Regulated Sectors (finance, healthcare, public sector) | Centralized FIDO authenticator management fulfills strict administrator-controlled authenticator clauses without sacrificing protection against phishing. |
| Mass Onboarding (new department, seasonal staff, M&A migrations) | Keys are pre-registered by admins; employees receive keys and sign in immediately, keeping high-risk “first-week” periods secure. |
| Rapid Key Replacement | The help desk deletes the lost security key, enrolls a new one, and immediately issues it to the employee. |
| Admin-Enrolled Passkey Distribution via Password Managers* | Admin creates a passkey, assigns it to a vault shared with the employee, and instructs the employee to move the passkey into their private vault, after which the shared vault is deleted. Employees gain the convenience of synced passkeys; the company avoids the cost of hardware tokens. Learn More: Deploying Admin-Enrolled Passkeys With Enterprise Password Managers |
| Security Investigations & Audits | During an audit or security investigation, administrators can look up all enrolled FIDO authenticators in the Admin Console. Each FIDO authenticator in the console displays information such as registration data and credential metadata. |
* For the most sensitive accounts, consider enrolling hardware FIDO keys (NIST AAL3) instead of syncable passkeys (NIST AAL2).
Security & Governance Considerations
- Exclusive Control: After an admin places a passkey in a password manager’s shared vault, they should encourage the user to move it to a private vault instead of simply copying it. This restores the passkey’s intended user-centric control model and is analogous to how an admin-enrolled physical security key is then given to the user.
- Admin Account Hardening: Since a compromise of the administrator’s account in the password manager could expose passkeys during the brief shared-vault stage, protect administrator accounts in the password manager with strong, phishing-resistant MFA.
- Phishing Resistance: Whether you deploy physical keys or synced passkeys, all FIDO authenticators resist phishing, surpassing SMS, push, and TOTP.
Next Steps
Rublon safeguards identities for organisations of every size. We believe security should be both uncompromising and uncomplicated. Admin-enrolled security keys and passkeys make that vision a reality.
Stay informed
Subscribe to the Rublon Newsletter for cyber threat insights, product updates, and best practices.
Experience it yourself
Start a free 30‑day Rublon MFA Trial to test admin‑enrolled FIDO authenticators, convenient user sign-ins with FIDO passkeys, and more. No credit card required.
