FIPS Level 1 vs FIPS Level 2
The YubiKey 5 FIPS Series is certified in two modes of operations - one configuration which meets the requirements for FIPS Level 1, and a second, more restricted configuration that meets the requirements for FIPS Level 2.
The FIPS Level 2 configuration renders keys in the YubiKey 5 FIPS Series capable of being a component in a framework meeting the highest levels of authentication assurance. However, not every deployment requires this level of security. In cases where a FIPS-certified device is required, but a lower level of assurance is acceptable, the FIPS Level 1 configuration can be used. This provides a user experience like the standard YubiKey 5 Series user experience.
FIPS Initialization Comparison: Level 1 vs Level 2
The FIPS Level 2 requirements include all the those for Level 1. Therefore the FIPS Level 2 column in the table below lists only the differences.
YubiKey
Function
|
FIPS Level 1 | FIPS Level 2 |
|---|---|---|
Touch-
Triggered
OTP
|
If writing a configuration
to a slot over NFC, use a
secure channel.
|
Set Access code for both OTP slots.
If updating a configuration of
either OTP slot or the NDEF
behavior, use a secure channel.
|
| OATH | If writing a credential
over NFC, use a secure
channel.
|
Set the Management key.
When setting the Management key
over USB or NFC, use a secure
channel.
When writing a credential over USB
or NFC, use a secure channel.
|
| PIV | If importing a key or
setting the management key,
use a secure channel.
|
Change Management key, PIN and PUK
from default values.
For any operation with the PIV
function over NFC, use a secure
channel.
|
| U2F | No additional requirements | Must be not be used. Recommendation
Disable and use the FIDO2 function
instead.
|
| FIDO2 | No additional requirements | Set a PIN.
Set Credential Protection to
level 2 for all discoverable
credentials.
Credential Registration is not
allowed over NFC.
|
Secure
Channel
|
Change the default
transport keys from default
|
No additional requirements |
For more information on secure channel requirements from NIST, see NIST SP 800-63-C and NIST SP 800-63B.