FIPS Level 1 vs FIPS Level 2

The YubiKey 5 FIPS Series is certified in two modes of operations - one configuration which meets the requirements for FIPS Level 1, and a second, more restricted configuration that meets the requirements for FIPS Level 2.

The FIPS Level 2 configuration renders keys in the YubiKey 5 FIPS Series capable of being a component in a framework meeting the highest levels of authentication assurance. However, not every deployment requires this level of security. In cases where a FIPS-certified device is required, but a lower level of assurance is acceptable, the FIPS Level 1 configuration can be used. This provides a user experience like the standard YubiKey 5 Series user experience.

FIPS Initialization Comparison: Level 1 vs Level 2

The FIPS Level 2 requirements include all the those for Level 1. Therefore the FIPS Level 2 column in the table below lists only the differences.

YubiKey
Function
FIPS Level 1 FIPS Level 2
Touch-
Triggered
OTP

If writing a configuration
to a slot over NFC, use a
secure channel.

Set Access code for both OTP slots.
If updating a configuration of
either OTP slot or the NDEF
behavior, use a secure channel.
OATH
If writing a credential
over NFC, use a secure
channel.



Set the Management key.
When setting the Management key
over USB or NFC, use a secure
channel.
When writing a credential over USB
or NFC, use a secure channel.
PIV
If importing a key or
setting the management key,
use a secure channel.


Change Management key, PIN and PUK
from default values.
For any operation with the PIV
function over NFC, use a secure
channel.
U2F No additional requirements
Must be disabled. Use the FIDO2
function in exchange.
FIDO2 No additional requirements
Set a PIN.
Set Credential Protection to
level 2 for all discoverable
credentials.
Credential Registration is not
allowed over NFC.
Secure
Channel
Change the default
transport keys from default
No additional requirements

For more information on secure channel requirements from NIST, see NIST SP 800-63-C and NIST SP 800-63B.