FIPS Level 1 vs FIPS Level 2

The YubiKey 5 FIPS Series is certified in two modes of operations - one configuration which meets the requirements for FIPS Level 1, and a second, more restricted configuration that meets the requirements for FIPS Level 2.

The FIPS Level 2 configuration renders keys in the YubiKey 5 FIPS Series capable of being a component in a framework meeting the highest levels of authentication assurance. However, not every deployment requires this level of security. In cases where a FIPS-certified device is required, but a lower level of assurance is acceptable, the FIPS Level 1 configuration can be used. This provides a user experience like the standard YubiKey 5 Series user experience.

FIPS Initialization Comparison: Level 1 vs Level 2

The FIPS Level 2 requirements include all the those for Level 1. Therefore the FIPS Level 2 column in the table below lists only the differences.

YubiKey Function	FIPS Level 1	FIPS Level 2
Touch- Triggered OTP	If writing a configuration to a slot over NFC, use a secure channel.	Set Access code for both OTP slots. If updating a configuration of either OTP slot or the NDEF behavior, use a secure channel.
OATH	If writing a credential over NFC, use a secure channel.	Set the Management key. When setting the Management key over USB or NFC, use a secure channel. When writing a credential over USB or NFC, use a secure channel.
PIV	If importing a key or setting the management key, use a secure channel.	Change Management key, PIN and PUK from default values. For any operation with the PIV function over NFC, use a secure channel.
U2F	No additional requirements	Must be disabled. Use the FIDO2 function in exchange.
FIDO2	No additional requirements	Set a PIN. Set Credential Protection to level 2 for all discoverable credentials. Credential Registration is not allowed over NFC.
Secure Channel	Change the default transport keys from default	No additional requirements

For more information on secure channel requirements from NIST, see NIST SP 800-63-C and NIST SP 800-63B.