Yubico for Business: How Many YubiKeys You Need and How to Manage Them
Protecting a work team is not the same as protecting a personal account. When there are 10, 50, or 200 people with access to critical systems, the question isn't whether to use YubiKey — it's how to organize it without it becoming an operational problem.
This guide is for IT managers, operations directors, and anyone who has to make that decision: how many keys to order, how to distribute them, and what tools exist to manage them.
How many YubiKeys does your company need?
The basic rule: one key per employee, plus one backup for each critical profile. But the real number depends on who has access to what.
Not all roles have the same level of exposure. An employee with access only to corporate email doesn't need the same level of protection as someone with access to production servers or financial data.
| Profile | Recommended keys | Why |
|---|---|---|
| Standard employee (email, SaaS apps) | 1 key | Limited access, medium risk |
| Manager with access to sensitive data | 2 keys | Without a backup, an incident blocks access |
| IT / sysadmin / DevOps | 2 keys minimum | Access to critical systems and servers |
| C-level / management | 2 keys + 1 in custody | Priority target in directed attacks |
| Remote / external contractor | 1-2 keys depending on access | Connection outside the corporate perimeter |
Yubico recommends always registering at least two keys per user. If someone loses theirs and there's no backup registered, regaining access can take hours — or days. In critical environments, that has a real cost.
Quick reference by team size
To guide you before placing the order:
| Team size | Minimum keys | Recommended keys | Notes |
|---|---|---|---|
| 1–10 people | 10 | 15–20 | Include backup for critical profiles |
| 11–50 people | 50 | 65–80 | Backup for IT and management at a minimum |
| 51–200 people | 200 | 250–280 | Consider phased deployment |
| 200+ people | Variable | Contact Yubico directly | Yubico for Enterprise program with tiered pricing |
Which YubiKey model to choose for a business
The model depends on the available ports on the team's computers. In mixed environments — new USB-C laptops and USB-A desktop computers — the most common approach is to choose one model and supplement it with adapters, or distribute two different models.
YubiKey 5 NFC (USB-A)
The most widespread model in corporate environments. Compatible with most desktop computers and laptops with a USB-A port. NFC also allows it to be used from a mobile phone without adapters.
YubiKey 5C NFC (USB-C)
For modern computers with USB-C. MacBooks, latest-generation Dell or Lenovo laptops. If the majority of computers are USB-C, this is the model.
YubiKey 5 Nano / 5C Nano
For people who always work on the same computer and prefer to leave the key permanently inserted. It sits almost flush with the port — without protruding.
If you have both USB-A and USB-C computers in the same organization, the most practical option is usually to standardize on the YubiKey 5 NFC (USB-A) and distribute USB-C adapters where necessary. It reduces the number of SKUs to manage.
How to manage YubiKeys in an organization
The biggest mistake in enterprise deployments isn't choosing the wrong model — it's not having a system to know who has which key, what access it's registered for, and what to do when someone leaves.
Yubico Enterprise Subscription
Yubico offers a subscription program for businesses that includes key replacement at no additional cost, priority support, and access to YubiEnterprise Delivery — a system to distribute keys directly to remote employees without going through the IT department.
YubiKey Manager
Yubico's official tool for configuring keys individually. It allows you to manage the key's slots, see which applications are configured, and reset a key before reassigning it. Free, available for Windows, macOS, and Linux.
Yubico SCIM Tool
For organizations that use identity providers like Okta, Azure AD, or Google Workspace. It allows for automatic provisioning and de-provisioning of keys when an employee joins or leaves the company.
Registration in the IdP
Whatever the tool, the management workflow always goes through the identity provider. The YubiKey is worthless if it's not registered in the system that controls access. The standard process is: assign key → employee registers it in the IdP → IT verifies the registration → access is activated.
The offboarding protocol must explicitly include the YubiKey. First, access is deactivated in the IdP. Then, the physical key is collected. If it can't be recovered — remote employee, loss — the registration is revoked, and the key is reset if it's to be reused.
Protecting the keys physically
A YubiKey without a case ends up scratched at the bottom of a backpack or clanking against car keys on a keychain. In a corporate deployment, where keys pass through many hands and different situations, physical protection is not a minor detail.
Holdtag manufactures specific accessories for YubiKey — cases, credit card-sized trays, and wallets with RFID blocking — designed for daily use in professional environments. Made in Spain, from high-resistance PLA+.
YubiKey Tray 2 slots
Credit card format. Two slots — main key and backup in the same card. Fits in any wallet. Ideal for profiles that carry two keys.
YubiKey Case PLA+
Protection for daily use with an integrated keychain. Protects against bumps and scratches. For those who always carry their key with them.
For bulk corporate orders, special conditions, or customization, check the solutions for businesses page.
Frequently Asked Questions
Can a single YubiKey be used for multiple services?
Yes. A single YubiKey can be registered with multiple services at the same time — Google Workspace, Microsoft 365, GitHub, Okta, and others. There is no practical limit to the number of registrations. Each service stores its own record of the key.
What happens if an employee loses their YubiKey?
If a backup key is registered, the employee can use it to log in while a replacement is arranged. If there is no backup, IT has to recover access through another method — which can take time. That's why backup is essential for critical profiles.
Can a YubiKey from an employee who has left be reused?
Yes, but with the correct protocol. First, all registrations in the IdP must be revoked. Then the key can be reset with YubiKey Manager and reassigned to another employee. If this order is not followed, there is a risk that the old key may still be active on some service.
Does YubiKey work with Google Workspace and Microsoft 365?
Yes, both platforms are compatible with YubiKey as a FIDO2 authentication method. Google Workspace supports it natively. Microsoft 365 also supports it, through Azure Active Directory. Configuration requires enabling it from the admin panel.
Are there volume discounts for businesses?
Yubico offers the YubiEnterprise Subscription program for corporate orders, with tiered pricing and replacement service included. For bulk Holdtag accessories, you can check the conditions on the solutions for businesses page.
YubiKey works for business — if there's a system behind it
The physical key is the easy part. What makes a deployment succeed or fail is the process: who has which key, what access it's registered for, and what happens when someone leaves. Without that system, you end up with lost keys, unrevoked access, and an IT department managing exceptions.
Start with the highest-risk profiles — IT, management, access to critical systems. Define the onboarding and offboarding protocol before buying the first keys. And make sure every critical profile has its backup registered from day one.
