.. yk5-fips-fido.rst

.. _yk5-fips-fido-label:

====================================
FIDO Configuration with FIPS
====================================

YubiKey 5 FIPS Series support FIDO U2F and FIDO2 WebAuthn. 


FIDO2 (WebAuthn)
==================

Like FIDO U2F, the `FIDO2 <https://developers.yubico.com/WebAuthn/>`_ standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing resistant two-factor authentication, the FIDO2 application on the YubiKey enables storing resident credentials. Resident credentials can accommodate the username and other data, this enables truly passwordless authentication. Keys in the YubiKey 5 FIPS Series can hold up to 25 resident keys.

See :ref:`yk5-locking-fido-credentials-label`.


FIDO2 (WebAuthn) FIPS-approved Mode
--------------------------------------------------------

For the YubiKey WebAuthn application to be in a FIPS approved mode of operation, set a WebAuthn PIN. By default, no WebAuthn PIN is set.

To **set or change the WebAuthn PIN**, use the ykman CLI with the following command:

``ykman fido access change-pin -n<PIN>``

where ``<PIN>`` is the WebAuthn PIN to be set. See :ref:`credential-values-label` for PIN requirements.



FIDO U2F
===========

`FIDO U2F <https://developers.yubico.com/U2F/>`_ is an open standard that provides strong, phishing-resistant two-factor authentication for web services using public key cryptography. U2F does not require any special drivers or configuration to use, just a compatible web browser. The U2F application on the YubiKey can be associated with an unlimited number of U2F sites.


U2F with FIPS 140-2 Level 2
----------------------------

The YubiKey 5 U2F FIPS application cannot be used in FIPS 140-2 Level 2 mode. Instead of the U2F functionality, use the FIDO WebAuthn application. FIPS-certified services should not call the U2F functionality; nonetheless, disable the U2F function on the YubiKey to ensure it is not used.

To disable U2F over USB and NFC, use the commands:

.. code-block:: bash

  ykman config usb -dU2F
  ykman config nfc -dU2F


To **ensure users cannot enable U2F**, secure access to it with a management lock code. To set this code, use the command:

``ykman config set-lock-code -n<lock code>``

where ``<lock code>`` is a 16 byte (32 character) hex value.

.. Note:: The lock code prevents anyone without it from changing the functions that are accessible over NFC or USB. The lock code cannot be recovered if lost. Losing the lock code makes the YubiKey permanently inaccessible.

----