FIPS Level 1 vs FIPS Level 2
The YubiKey 5 FIPS Series is certified in two modes of operations - one configuration which meets the requirements for FIPS Level 1, and a second, more restricted configuration that meets the requirements for FIPS Level 2.
The FIPS Level 2 configuration renders keys in the YubiKey 5 FIPS Series capable of being a component in a framework meeting the highest levels of authentication assurance. However, not every deployment requires this level of security. In cases where a FIPS-certified device is required, but a lower level of assurance is acceptable, the FIPS Level 1 configuration can be used. This provides a user experience like the standard YubiKey 5 Series user experience.
FIPS Initialization Comparison: Level 1 vs Level 2
The FIPS Level 2 requirements include all the those for Level 1. Therefore the FIPS Level 2 column in the table below lists only the differences.
|FIPS Level 1||FIPS Level 2|
If writing a configuration
to a slot over NFC, use a
Set Access code for both OTP slots.
If updating a configuration of
either OTP slot or the NDEF
behavior, use a secure channel.
If writing a credential
over NFC, use a secure
Set the Management key.
When setting the Management key
over USB or NFC, use a secure
When writing a credential over USB
or NFC, use a secure channel.
If importing a key or
setting the management key,
use a secure channel.
Change Management key, PIN and PUK
from default values.
For any operation with the PIV
function over NFC, use a secure
|U2F||No additional requirements||
Must be not be used. Recommendation
Disable and use the FIDO2 function
|FIDO2||No additional requirements||
Set a PIN.
Set Credential Protection to
level 2 for all discoverable
Credential Registration is not
allowed over NFC.
Change the default
transport keys from default
|No additional requirements|
For more information on secure channel requirements from NIST, see NIST SP 800-63-C and NIST SP 800-63B.