VMware Workspace ONE Employee Experience Workspace ONE Unified Endpoint Management

Announcing URL authentication in Workspace ONE Web for iOS using YubiKey via Workspace ONE PIV-D Manager

Workspace ONE Web browser now supports URL authentication using YubiKey via Workspace ONE PIV-D Manager application on the iOS and iPadOS platforms. Let’s look at why this is important and will be helpful for customers. 

YubiKey accessories are part of the changing world of high-security mobile data protection allowing secure remote access. They meet the needs of the most demanding security customers, including U.S. federal agencies. Many organizations today are adopting remote-first and remote-friendly organizational strategies. This new capability in Workspace ONE Web enables IT teams to further secure remote access to their corporate web applications with a passwordless, more secure authentication using YubiKey accessories in place of the traditional username/password-based authentication.  

Workspace ONE Web is a mobile web browser that can be managed and configured with security settings and more through Workspace ONE Unified Endpoint Management (UEM).  

Workspace ONE PIV-D Manager is a mobile app for handling derived PIV credentials for digital employee experiences without compromising on security. Both Workspace ONE Web and PIV-D Manager are provided by VMware as part of the Workspace ONE suite of mobile apps.  

Why is it important to secure corporate web applications? 

Today, a large number of enterprise applications are web applications, and more of these are transitioning to SaaS with each passing day. Moreover, they have also become prone to cyberattacks because so much critical corporate data is being accessed through web applications. For this reason, it is important for IT teams to make sure that employees can access these applications securely through enterprise-managed browsers without compromises to security and experience.  

IT teams are constantly looking for ways to use modern technologies to secure accessing these web applications. One such way is to use YubiKey accessories to authenticate into corporate web applications. Some sectors, such as financial services, require a highly secure method of accessing websites because they want to reduce the possibility of security breaches. Now they will be able to use Workspace ONE Web with YubiKey to provide a great experience for their employees, reduce support costs, and secure the identities of their employees and users. 

How does the YubiKey authentication feature work in Workspace ONE Web? 

This authentication feature requires version 22.05 of Workspace ONE Web and version 22.07 of Workspace ONE PIV-D Manager to be installed on the device. This feature is implemented using the Apple CryptoTokenKit (CTK) framework. PIV-D Manager implements a Persistent Device Token extension, also known as a CTK Provider, which makes credentials stored on the YubiKey accessory available to other apps on the same device. Workspace ONE Web implements a CTK Consumer to access the credentials to authenticate the end user to a particular URL or web application. Note that the private keys of the YubiKey credentials never leave the accessory. 

This feature is supported in all the device enrollment modes:  Hub Managed, Hub Registered, and standalone enrollment. Learn more about enrollment modes for Workspace ONE here

This video shows the admin experience to configure this feature and the end user experience. 


Securing access to the corporate web applications on mobile devices remains one of the top priorities for IT teams today. With the support for URL authentication using YubiKey via Workspace ONE PIV-D Manager application, Workspace ONE Web provides a way for IT admins to configure highly secure passwordless authentication for web applications that meet their security requirements. We are excited to announce this enhancement for our most security-conscious customers, who want to deliver a sophisticated, secure, and simplified way to authenticate identities and protect corporate data.