They are, my point (which wasn't very clear) was that somebody needs to do the customer support.
If you just do YubiKeys but not Okta, your staff takes all the calls. Yubi sure isn't going to do the customer support when Employee #46 can't log into Office 365 today.
That's why people outsource this to Okta and its ilk.
So - I work for a company that uses Okta. Our Infosec/IT group also rolled out Yubikeys. I need to work with IT when I'm having problems with my Yubikeys.
When we SSO to Okta - they will for some applications (VPN, Github, etc..) require us to MFA with our Yubikey. But for some other, lower risk applications, MFA isn't required.
When an employee has difficulty connecting to one of the 84 applications that we SSO via Okta - they file a ticket with IT, not Okta. There is no way any employee would even know how to contact Okta, and there isn't any way that Okta could troubleshoot for the employee anyways - the source of truth for their password (first factor) would be the corporate Active Directory server.
Okta doesn't (to my knowledge) provide any customer support (I guess they might work with IT if there is a service-outage) to our employees. It's just an IdP SaaS.
Can Okta actually manage your enterprise's Yubikeys for you? I wasn't aware that was a thing since I've never heard anybody use it - everybody just endured the burden of managing their Yubikeys themselves.
I think your point is still confusing. No one is suggesting replacing Okta with a Yubikey, so whether one chooses Okta to offload support requests or not has no bearing on Yubikeys.
