Kleidia – Self-hosted YubiKey management at scale within your infrastructure

Summary: Kleidia is a Kubernetes-native control plane for managing YubiKeys and FIDO2 devices at scale. It integrates with existing PKI and identity systems to replace manual scripts with auditable, policy-driven workflows, enabling operational hardware MFA in regulated environments without per-user licensing costs.

What it does

Kleidia manages the full lifecycle of YubiKeys including enrollment, assignment, certificate issuance, rotation, and revocation. It provides admins with visibility into certificates and revocation flows, supports scoped end-user self-service, and maintains a complete audit trail of key operations.

Who it's for

It is designed for organizations deploying YubiKeys or FIDO2 at scale, especially those needing compliance with regulations like NIS2 and requiring integration with existing PKI, Active Directory/Entra ID, and Kubernetes infrastructure.

Why it matters

Kleidia replaces fragile manual processes and costly per-user licensing with a scalable, auditable solution that fits enterprise identity environments and simplifies hardware MFA rollout and management.