Understanding the Applications
The YubiKey 5 FIPS Series provides applications for a wide variety of authentication options: OTP, U2F, FIDO2, Smart Card/PIV, and OATH. The applications are separate from each other, with separate storage for keys and credentials. The following sections provide detailed descriptions of each option.
FIPS Application Exceptions
These exceptions apply to all YubiKey 5 FIPS Series applications.
- Attestation certificates include FIPS OID.
- Pairwise consistency test verifies proper generation of all asymmetric keys (RSA & ECC). You might detect some minor performance impact on new key generation.
- When inserted in a USB port, the FIPS power-on self-test takes ~300 milliseconds before the device is usable.
- The YubiKey 5 FIPS Series supports cryptographic algorithms that it is not permissible to use in a FIPS environment. Consult with your security auditor to ensure the YubiKey is used in a compliant manner.
YubiKey 5 FIPS Series Supported Functions
In addition to the applications, the functions listed below are also supported.
- YubiKey device configuration
- SCP03; for more information, see the chapter on Secure Channel (SCP03) in the YubiKey 5 Series Technical Manual
- YubiHSM Auth (with firmware version 5.4.3) is a YubiKey CCID application that stores the long-lived credentials used to establish secure sessions to a YubiHSM 2. The secure session protocol is based on Secure Channel Protocol 3 (SCP03). For more information, see the chapter on YubiHSM Auth in the YubiKey 5 Series Technical Manual.
- Power-on self-test
- FIPS-specific attestation certificates and FIDO2 metadata
- NFC – On NFC devices only
For information about the static password, the HMAC-SHA1, and supported extensions, see the sections of the same name in Understanding the Applications in the YubiKey 5 Series Technical Manual.