FIPS Level 1 vs FIPS Level 2

The YubiKey 5 FIPS Series is certified in two modes of operations - one configuration which meets the requirements for FIPS Level 1, and a second, more restricted configuration that meets the requirements for FIPS Level 2.

The FIPS Level 2 configuration renders keys in the YubiKey 5 FIPS Series capable of being a component in a framework meeting the highest levels of authentication assurance. However, not every deployment requires this level of security. In cases where a FIPS-certified device is required, but a lower level of assurance is acceptable, the FIPS Level 1 configuration can be used. This provides a user experience like the standard YubiKey 5 Series user experience.

FIPS Initialization Comparison: Level 1 vs Level 2

The FIPS Level 2 requirements include all the those for Level 1. Therefore the FIPS Level 2 column in the table below lists only the differences.

FIPS Level 1 FIPS Level 2

If writing a configuration
to a slot over NFC, use a
secure channel.

Set Access code for both OTP slots.
If updating a configuration of
either OTP slot or the NDEF
behavior, use a secure channel.
If writing a credential
over NFC, use a secure

Set the Management key.
When setting the Management key
over USB or NFC, use a secure
When writing a credential over USB
or NFC, use a secure channel.
If importing a key or
setting the management key,
use a secure channel.

Change Management key, PIN and PUK
from default values.
For any operation with the PIV
function over NFC, use a secure
U2F No additional requirements
Must be disabled. Use the FIDO2
function in exchange.
FIDO2 No additional requirements
Set a PIN.
Set Credential Protection to
level 2 for all discoverable
Credential Registration is not
allowed over NFC.
Change the default
transport keys from default
No additional requirements

For more information on secure channel requirements from NIST, see NIST SP 800-63-C and NIST SP 800-63B.