YubiKey FIPS 4 Series

Why FIPS?

Federal Information Processing Standards (FIPS) are developed by the United States government for use in computer systems to establish requirements such as ensuring computer security and interoperability. The National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) run the NIST Cryptographic Module Validation Program (CMVP) as a collaborative effort.

FIPS certification demonstrates that a product has gone through a rigorous audit process and adheres to a security standard that can be measured and quantified.

Many government organizations and government contractors are required to use FIPS-approved products, as are highly-regulated industries in general. Other countries also recognize FIPS 140-2. For the US government, the default is that FIPS is required.

Do You Require FIPS Keys?

If you do not have a security auditor, and/or the auditor does not have a compliance requirement, you probably do not need FIPS. The standard line of YubiKeys offers the same security, algorithms and functionality. The standard line also evolves at a much more rapid pace because it does not need to go through an exhaustive validation process, which commonly takes a year or more. Yubico can release standard firmware with new features, enhancements, etc. at any time, whereas FIPS-certified products must go through the FIPS validation process every time there is a change.

Compatible Devices

Before proceeding, make sure your YubiKeys are from the (4) FIPS Series, not the 5 FIPS Series. If you’re not sure how to tell, look for v5 in the laser-markings on the keys themselves. Keys with this marking belong to the 5 FIPS Series; keys without it are from the (4) FIPS Series. See below images for clarification.

_images/fips4-models.jpg

The YubiKey (4) FIPS Series, to which this article applies.

_images/fips5-models.jpg

The YubiKey 5 FIPS Series.

If you determine you have YubiKey 5 FIPS Series keys, please refer to YubiKey Technical Manual instead.