Introduction

Why FIPS?

Federal Information Processing Standards (FIPS) are developed by the United States government for use in computer systems to establish requirements such as ensuring computer security and interoperability. The National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) run the NIST Cryptographic Module Validation Program (CMVP) as a collaborative effort.

FIPS certification demonstrates that a product has gone through a rigorous audit process and adheres to a security standard that can be measured and quantified.

Many government organizations and government contractors are required to use FIPS-approved products, as are highly-regulated industries in general. Other countries also recognize FIPS 140-2. For the US government, the default is that FIPS is required.

Do You Require FIPS Keys?

If you do not have a security auditor, and/or the auditor does not have a compliance requirement, you probably do not need FIPS. The standard line of YubiKeys offers the same security, algorithms and functionality. The standard line also evolves at a much more rapid pace because it does not need to go through an exhaustive validation process, which commonly takes a year or more. Yubico can release standard firmware with new features, enhancements, etc. at any time, whereas FIPS-certified products must go through the FIPS validation process every time there is a change.

YubiKey 5 FIPS Series

The YubiKey 5 FIPS Series is FIPS 140-2 certified. It offers strong authentication with support for multiple protocols - including FIDO2, which is the new standard that enables the replacement of password-based authentication. The YubiKey strengthens security by replacing passwords with strong hardware-based authentication using public key cryptography.

The cryptographic functionality of the YubiKey 5 FIPS Series devices is powered by the FIPS 140-2 certified YubiKey 5 cryptographic module, a single-chip cryptographic processor with a non-extractable key store that handles all of the cryptographic operations. The YubiKey 5 cryptographic module is FIPS 140-2 certified, both Level 1 and Level 2 (Physical Security Level 3).

The YubiKey 5 FIPS Series cryptographic module is a secure element that supports multiple protocols designed to be embedded in USB security tokens. The module can generate, store, and perform cryptographic operations for sensitive data and can be utilized via an external touch-button for Test of User Presence in addition to PIN for smart card authentication. The module implements the following major functions:

  • Yubico One Time Password (OTP)
  • FIDO Universal 2nd Factor (U2F)
  • FIDO2 WebAuthn
  • PIV-compatible smart card
  • OATH OTP authentication.

The YubiKey 5 FIPS Series hardware with the 5.4 firmware is certified as an authenticator under both FIPS 140-2 Level 1 and Level 2. It meets the highest authenticator assurance level 3 (AAL3) of NIST SP800-63B guidance. To use security keys from the YubiKey 5 FIPS Series as a Level 2, more stringent initialization is required than for Level 1. Guidance for Level 2 is set out in detail in the following.

FIPS-specific Aspects of the YubiKey 5 FIPS Series

Distinguishing the YubiKey 5 FIPS Series from the YubiKey 5 Series with the 5.4 firmware are the following configuration changes, set at programming:

Configuration Change Description
Functional
Enforce power-up self-test (firmware integrity and
algorithm testing)
Minimum PIN length
for FIDO2
6 alphanumeric characters
YubiHSM Auth Not included
Identification
Unique AAGUIDs for the FIDO Attestation
Attestation
Attestation certificates for FIDO and PIV include
a FIPS Object ID (1.3.6.1.4.1.41482.12)
FIDO GETINFO
Command returns a listing of FIPS, as well as the
FIPS-specific OIDs in the PIV and FIDO attestation
certificates.*
YubiKey Manager Form factor identifies FIPS Series devices.**

* The certifications that are supported by a FIDO authenticator can be returned in the certifications member of an authenticatorGetInfo response as set out in paragraph 7.3.1. Authenticator Actions of the Client to Authenticator Protocol (CTAP) Review Draft of March 09, 2021.

** See the “Form Factor” section in: the YubiKey 5 Series Configuration Reference Guide for the YubiKey Manager.

Firmware

The YubiKey firmware is separate from the YubiKey itself in the sense that it is put onto each key in a process separate from the manufacture of the physical key. Nonetheless, it can be neither removed nor altered. Yubico periodically updates the YubiKey firmware to take advantage of features and capabilities introduced into operating systems such as Windows, MacOS, and Ubuntu, etc., as well as to enable new YubiKey features.

The firmware version on a YubiKey therefore determines whether or not a feature or a capability is available to that key. The quickest and most convenient way to determine your YubiKey’s firmware version is to use the YubiKey Manager (ykman), a lightweight software package installable on any OS. The YubiKey Manager has both a graphical user interface (GUI) and a command line interface (CLI).

Yubico has submitted the same firmware - release 5.4 - to both NIST and ANSSI for certification.