Understanding the Applications

The YubiKey 5 FIPS Series provides applications for a wide variety of authentication options: OTP, U2F, FIDO2, Smart Card/PIV, and OATH. The applications are separate from each other, with separate storage for keys and credentials. The following sections provide detailed descriptions of each option.

FIPS Application Exceptions

These exceptions apply to all YubiKey 5 FIPS Series applications.

  • Attestation certificates include FIPS OID.
  • Pairwise consistency test verifies proper generation of all asymmetric keys (RSA & ECC). You might detect some minor performance impact on new key generation.
  • When inserted in a USB port, the FIPS power-on self-test takes ~300 milliseconds before the device is usable.
  • The YubiKey 5 FIPS Series supports cryptographic algorithms that it is not permissible to use in a FIPS environment. Consult with your security auditor to ensure the YubiKey is used in a compliant manner.

YubiKey 5 FIPS Series Supported Functions

In addition to the applications, the functions listed below are also supported.

  • YubiKey device configuration
  • Secure Channel (SCP03)
  • Power-on self-test
  • FIPS-specific attestation certificates and FIDO2 metadata
  • NFC – On NFC devices only

For information about the static password, the HMAC-SHA1, and supported extensions, see the sections of the same name in Understanding the Applications in the YubiKey 5 Series Technical Manual.