In this post we will talk about how to simply rollout idemeum Passwordless MFA in your organization. The idea is to offer employees simple and intuitive enrollment while avoiding any disruptions or productivity losses.

Enrollment overview

Below we will discuss how IT team will need to handle enrollment for both existing and newly hired employees.

Important point to note is that idemeum enrollment is completely passwordless. Unlike other vendors on the market we are not using SSO credentials or corporate emails for employee enrollment. Since idemeum is decentralized, enrollment is user driven.

Existing employees

idemeum Passwordless MFA integrates with existing Identity Providers (such as Okta, Microsoft Azure AD, etc.). Here is the list of recommended steps for rollout.

  • Integrate idemeum: IT team integrates idemeum with existing HRMS system and Identity Provider. You can refer to our integration catalog to see what HRMS and IDP systems we support. Important point here is not to enable authentication by idemeum yet.
  • Invite employees: IT team sends all existing employees an email inviting employees to enroll into passwordless experience. At this point employees are still accessing applications with username and password, but they can now set up passwordless MFA and get enrolled. Example of enrollment email is shown below.
Welcome to passwordless experience!

<Organization> is using idemeum, a new sign-in experience for you to simply and securely login into corporate applications without passwords.

STEP 1 - install idemeum app
Download and install idemeum mobile app and go through in-app setup instructons. Make sure you verify your phone number and personal email address.

App store link

STEP 2 - enroll into passwordless experience
Navigate to the following link. Once you see the QR code, open idemeum mobile app, click login, and scan QR code. Upon successful enrollment you will be shown your corporate address.

Enrollment link

Questions? Contact support team at

Passwordless onboarding is achieved by leveraging phone number, personal email address, or ID document that employees verify in idemeum app. You can always configure what personal claim you want to use for employee onboarding.

For the enrollment link we offer a URL that employees can use to self-enroll. The link is created by adding /enroll to idemeum tenant name. For instance, if idemeum tenant is, then enrollment link is

  • Disable password login: once all employees are enrolled into idemeum passwordless experience, IT team can enforce idemeum authentication for all employees. From now on when accessing corporate Identity Provider portal employees will be redirected to idemeum for authentication. Upon scanning the QR code with idemeum app, employees will have access to all corporate applications.

New employees

For new employees idemeum offers completely passwordless experience as well. There is no need to send passwords, magic links, or enrollment tokens over email.

  • Integrate idemeum: IT team integrates idemeum with existing HRMS systems and Identity Provider. You can refer to our integration catalog to see what HRMS and IDP systems we support.
  • Disable password authentication: at this point you configure your IDP to send all authentication requests to idemeum. Password based login will be disabled.
  • Invite employees: during employee onboarding, typically when HR team sends information to personal email address, you invite employee to set up idemeum and enroll into passwordless experience. The same or similar email template as above can be utilized.

Once new hires set up idemeum and enroll, they will be able to access all corporate applications without passwords using existing Identity Provider.

If you have any questions, let us know at