2. CSPN mode configuration
The YubiKey 5 Series supports a variety of applications, modes and operations. Technical descriptions of all of these are available from the Yubico website.
Additionally, as described in the YubiKey 5 CSPN security target [RD9], the YubiKey can also be used in a CSPN approved mode of operation.
The specific configurations required in order to achieve a CSPN approved mode are described in the sections below, divided by application.
- 3. One time password - OTP
- 4. OATH
- 5. FIDO U2F
- 6. FIDO2
- 7. PIV
For each section there is a summary of the YubiKey application, how to operate it in a CSPN approved mode, and how the the application can be technically configured.
2.1. Listing the applications on the YubiKey 5
To attain a list of all applications on the YubiKey 5, the command line YubiKey Manager (YKMan) may be used. To do so, in a command prompt, execute the command
The output will contain general information about the YubiKey 5, such as the current firmware version, but also all of the available applications, both enabled and disabled. (The Security Domain application is hidden for the user and therefore not listed byYKMan.) An example of this command is shown in the screenshot below.
2.2. Password strength
It is highly recommended to adhere to ANSSI’s guidelines on password strength whenever applicable, as it pertains to any of the YubiKey 5 applications.
2.3 Configuration environment
With regards to the configuration of the YubiKey, it can be performed in two different areas:
- If the keys of an application are generated by the secured microcontroller, the YubiKey 5 is considered as placed in a public area.
- If the keys of an application are loaded into the secured microcontroller, the YubiKey 5 is considered as placed in a secure area with restricted access.
To get in touch with Yubico Support, click here.