OATH: FIPS 140-2 with YubiKey 5 FIPS Series

The YubiKey 5 FIPS OATH application can store up to 32 OATH credentials, either OATH-TOTP (time-based) or OATH-HOTP (counter-based), as defined in the OATH specification. These credentials are separate from those stored in the OTP application, and can only be accessed via the CCID channel.

When an OATH-HOTP credential is programmed, the OTP is generated using the standard RFC 4226 HOTP algorithm and the YubiKey will automatically type the OTP. Optionally, the OTP can be prefixed by a public identity, conforming to the openauthentication.org Token Identifier Specification.

To manage the OATH credentials and read the OTPs generated by the YubiKey, the Yubico Authenticator is required. The Yubico Authenticator is supported on Windows, Linux, macOS, Android and iOS.

FIPS 140-2 Level 2: Placing the OATH Application in FIPS-approved Mode

Access to the YubiKey 5 FIPS Series OATH application must be protected with an Authentication Key for the application to be in a FIPS-approved mode of operation. To get the permitted values for the following operation, see Credentials and Permitted Values.

The crypto officer can set the Authentication Key using the YubiKey Manager Command Line Interface (CLI).

To set an Authentication Key using the YubiKey Manager CLI, use the command:

ykman oath access change -n=<Authentication Key>

where <Authentication Key> is the Authentication Key to be set.