See the following sections for each of the supported protocols. The features, capabilities, and enhancements brought by the firmware v. 5.X are summarized below and described in detail in 5.4 Firmware: Overview of Features & Capabilities.
All devices in the YubiKey 5 Series support FIDO2, enabling secure passwordless authentication on sites and applications that support the protocol.
The YubiKey 5 NFC and YubiKey 5C NFC brings NFC capabilities to the YubiKey 5 Series. All of the applications, including FIDO2, are available over NFC, expanding the options for quick tap-n-go authentication across desktops, laptops, and mobile devices. This makes the YubiKey 5 NFC or 5C NFC an ideal upgrade from the YubiKey NEO, which lacked some features such as ECC PIV certificates, larger PIV certificates, and RSA 4096 for OpenPGP keys.
With the firmware v. 5.4.X, the YubiKey NFC ID calculation has been modified. This provides expanded support for physical access systems (door locks) using the NFC ID tag to uniquely identify NFC-enabled YubiKeys, including those without serial numbers.
PIV enhancements enabled by the firmware v. 5.4.X include:
- YubiKey PIV metadata This allows for the YubiKey PIV application to report on characteristics of specific cryptographic keys in the requested PIV slot. YubiKey 5 PIV metadata enable services and client software to obtain information about the PIV keys in a centralized location, removing the need for querying PIV Attestation. YubiKey PIV metadata facilitates integration with CMS vendors.
- PIV management key (AES) Previously PIV management key was a 3DES key. The feature expands the management key type held in PIV slot 9b to include AES keys (128, 192 and 256) as defined in the Cryptographic Algorithms, and Key Sizes for Personal Identity Verification (PIV) specification (SP800-78-4, section 5). PIV management key in AES format allows for the YubiKey to be compatible with current or future FIPS-compliant CMS services.
The YubiKey 5Ci is the first hardware authenticator of its kind enabled with dual USB-C and Lightning® on a single security key. With multi-protocol capabilities, supporting OTP, U2F, FIDO2/WebAuthn, and Smart Card requirements, the YubiKey 5Ci provides a unified solution for secure logins on mobile and computing devices. The Lightning® connector enables secure login across iPhone 5, 6, 7, 8 and X, XS and XR, as well as most iPad models.
Having completed Apple’s MFI certification program, the YubiKey 5Ci is made for iPhone, iPad, and iPod as an electronic accessory specifically designed for the Lightning® connector of iPhones, iPad, and iPods and certified to meet Apple performance standards.
The YubiKey 5Ci is the first YubiKey to roll out new feature enhancements to FIDO2 and OpenPGP. Details on the new functionality can be found at our guides to the Enhancements to FIDO 2 Support and Enhancements to OpenPGP Support.
The YubiKey 5Ci will work as OTP over USB-C on the iPad Pro, but other functionalities have limitations. While we cannot currently provide timing, it is our goal for this device to work seamlessly across all products with Lightning® and USB-C ports.
Apple, Lightning, Mac, and MacOS are trademarks of Apple Inc., registered in the U.S. and other countries.
The YubiKey 5 Series devices can report their form factor via the PIV application, as well as whether or not they have an NFC interface. This enables easier, programmatic identification of the physical attributes of the YubiKey. For more information about how to query this information, see the YubiKey 5 Series Configuration Reference Guide.
Secure Channel (SCP03)¶
With the firmware v. 5.4.X, Yubico has implemented a secure channel based on the GlobalPlatform Technology SCP03 specification (Secure Channel Protocol 03). For more information on Yubico’s secure channel implementation, see Secure Channel.
For the YubiKey SCP03 implementation, secure channel is used for establishing an authenticated and encrypted communication channel over CCID between a host and the secure element on the YubiKey. The YubiKey security domain can store three concurrent long-lived transport key sets.
The secure channel feature enables loading application keys onto the YubiKey 5 for use with CCID applications OATH, OpenPGP, or PIV. Because the encryption application keys can be stored at the CMS server as well as at the YubiKey, if the YubiKey is lost or compromised, it is possible to recover the encryption key and load it on a replacement YubiKey.
See also: Yubico SCP03 Developer Guidance.
Secure Channel Key Diversification¶
Key diversification allows for simplified and secured distribution of secure channel transport key sets. The Batch Master Key (BMK) is shared with the CMS system to derive the YubiKey transport key sets. The enables secure channel transport key sets to be preprogrammed for the YubiKey 5 batches by Yubico, provided that Yubico supply chain has access to the BMK of the CMS vendor. For more details, see Secure Channel: Key Diversification.
Secure Channel CPLC Data¶
Though officially deprecated from the SCP03 standard, Yubico has implemented the Card Production Life Cycle (CPLC) data object for use with Credential Management System (CMS) vendors.
CPLC is a random dataset that is stored at the YubiKey, to be used for uniquely identifying the YubiKey in a CMS system.
For more details, see Secure Channel CPLC Data.
YubiHSM Auth is a YubiKey CCID application that stores the long-lived credentials used to establish secure sessions to a YubiHSM 2. The secure session protocol is based on Secure Channel Protocol 3 (SCP03). YubiHSM Auth is supported by YubiKey v5.4.0 and higher.
For more details, see YubiHSM Auth.