FIDO: FIPS 140-2 with YubiKey 5 FIPS Series

FIDO U2F

FIDO U2F is an open standard that provides strong, phishing-resistant two-factor authentication for web services using public key cryptography. U2F does not require any special drivers or configuration to use, just a compatible web browser. The U2F application on the YubiKey can be associated with an unlimited number of U2F sites.

FIDO2

Like FIDO U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing resistant two-factor authentication, the FIDO2 application on the YubiKey enables the storage of resident credentials. As the resident credentials can accommodate the username and other data, this enables truly passwordless authentication. Keys in the YubiKey 5 FIPS Series can hold up to 25 resident keys.

Locking FIDO2 Credentials

The resident credentials can be protected by a PIN for two-factor authentication.

  • The FIDO2 PIN must be between 6 and 128 alphanumeric characters in length.
  • Once a FIDO2 PIN is set, it can be changed but it cannot be removed without resetting the FIDO2 application.
  • If the PIN is entered incorrectly 8 times in a row, the FIDO2 application will be locked, and FIDO2 authentication will not be possible. After 3 incorrect PIN entries, the FIDO2 application must be power cycled. In order to restore this functionality, the FIDO2 application must be reset.

Note

Resetting the FIDO2 application will also reset the U2F key. No site you have registered the YubiKey with using U2F will work until the YubiKey is re-registered with that site. However, using U2F is not compatible with FIPS 140-2 Level 2.

Note

The YubiKey 5 FIPS Series supports FIOD2 credential management, thereby enabling selective deletion of resident keys. See the Enhancements to FIDO 2 Support for details.

The rules governing FIPS-certified environments forbid the use of the following features of the YubiKey 5 FIPS Series:

  • The P-224 curve
  • Credential registration over NFC.

Default Values

PIN: None set.

Placing the WebAuthn Application in FIPS-approved Mode

For the YubiKey WebAuthn application to be in a FIPS approved mode of operation, a WebAuthn PIN must be set. By default, no WebAuthn PIN is set.

To set or change the WebAuthn PIN, the YubiKey Manager Command Line Interface (CLI) must be used. To set an WebAuthn PIN using the YubiKey Manager CLI, use the command:

ykman fido access change-pin -n<PIN>

where <PIN> is the WebAuthn PIN to be set. Get the PIN requirements from Credentials and Permitted Values.

U2F

The YubiKey 5 U2F FIPS application cannot be used in a FIPS 140-2 Level 2 mode. In place of the U2F functionality, use the FIDO WebAuthn application. FIPS-certified services should not call the U2F functionality; nonetheless, the U2F function should be disabled on the YubiKey to ensure it is not used.

To disable U2F over USB and NFC, use the commands:

ykman config usb -dU2F ykman config nfc -dU2F

To ensure users cannot enable U2F, access to it can be secured with a management lock code. To set this code, use the command:

ykman config set-lock-code -n<lock code>

where <lock code> is a 16 byte (32 character) hex value.

Note

The lock code prevents anyone without it from changing which functions are accessible over NFC or USB. The lock code cannot be recovered if lost, which would result in a YubiKey with features permanently inaccessible.