OTP: FIPS 140-2 with YubiKey 5 FIPS Series

The OTP application provides two programmable slots, each of which can hold one of the types of credentials listed below. A Yubico OTP credential is programmed to slot 1 during manufacturing.

  • Trigger the YubiKey to produce the credential in the first slot by briefly touching the metal contact of the YubiKey.
  • If a credential has been programmed to the second slot, trigger the YubiKey to produce it by touching the contact for 3 seconds.

Output is sent as a series of keystrokes from a virtual keyboard.

Yubico OTP

Yubico OTP is a strong authentication mechanism that is supported by all YubiKey 5 FIPS Series. Yubico OTP can be used as the second factor in a two-factor authentication (2FA) scheme or on its own, providing single-factor authentication.

The OTP generated by the YubiKey has two parts, with the first 12 characters being the public identity which a validation server can link to a user, while the remaining 32 characters are the unique passcode that is changed each time an OTP is generated.

The character representation of the Yubico OTP is designed to handle a variety of keyboard layouts. It is crucial that the same code is generated if a YubiKey is inserted into a German computer with a QWERTZ layout, a French one with an AZERTY layout, or a US one with a QWERTY layout. The “Modhex”, or Modified Hexadecimal coding, was invented by Yubico to use only specific characters to ensure that the YubiKey works with the maximum number of keyboard layouts. (USB keyboards send their keystrokes by means of “scan codes” rather than the actual character. The translation to keystrokes is done by the device to which the YubiKey is connected).

OTP Deployment

The YubiKey 5 FIPS Series OTP application supports two independent OTP configurations, known as OTP slots. The OTP slots can be configured to output an OTP created with the Yubico OTP or OATH-HOTP algorithm, a HMAC-SHA1 hashed response to a provided challenge or a static password. The output of OTP slot 1 is triggered by a short touch (1~3 seconds) on the gold contact and the output of OTP slot 2 is triggered by a long touch (+3 seconds).

A 6-byte access code can be set on slot 1 and slot 2 independently. Once set, the OTP slot’s access code is required when modifying, overwriting or deleting the configuration on the respective OTP slot. By default, the YubiKey is shipped without any access code.

FIPS 140-2 Level 2: Placing the OTP Application in FIPS-approved Mode

Each OTP slot must be locked down with an access code for the YubiKey 5 FIPS Series OTP application to be in a FIPS-approved mode of operation. By default, no access codes is set for either slot.

  • An access code must be applied to each OTP slot, either:
    • When writing a new configuration or
    • By updating an existing configuration in an OTP slot.
  • An access code cannot be applied to an empty OTP slot.
  • To secure an unused OTP slot, use a blank OTP configuration with an access code.
  • YubiKey 5 FIPS Series devices must either be deployed with
    • The OTP slots already set with an access code, or
    • An OTP application or service which configures the access code on both slots on enrollment.
  • The OTP slot access codes must be archived so that only the crypto officer alone can access them, as the access codes are used when resetting the OTP application.

Using the YubiKey Manager to Set Access Codes

The crypto officer can set an access code to the OTP slots using the YubiKey Manager Command Line Interface (CLI).

To apply an access code to a configuration using the YubiKey Manager CLI, include the flag --new-access-code=<access code> in the OTP configuration string. The command must be of the format:

ykman otp settings --new-access-code=<access code> [OTP Slot]

where <access code> is the access code to be set, and [OTP Slot] is either 1 or 2 depending on if the OTP configuration is being applied to OTP slot 1 or OTP slot 2. For the characteristics of the access code, see Credentials and Permitted Values. For full details on setting an OTP configuration using the YubiKey Manager CLI, see the section of that name in the YubiKey Manager CLI & GUI Guide.

To fill a blank OTP slot with a default configuration, use the command:

ykman otp chalresp --generate [OTP Slot]

where [OTP Slot] is either 1 or 2 depending on if the OTP configuration is being applied to OTP slot 1 or OTP slot 2.