.. yk5-fips-oath.rst

.. _yk5-fips-oath-label:

====================================
OATH Configuration with FIPS
====================================

The YubiKey 5 FIPS OATH application can store up to 32 OATH credentials, either OATH-TOTP (time-based) or OATH-HOTP (counter-based), as defined in the `OATH specification <https://openauthentication.org/specifications.html>`_. These credentials are separate from those stored in the OTP application. They can only be accessed through the CCID channel.

When an OATH-HOTP credential is programmed, the OTP is generated using the standard `RFC 4226 <https://datatracker.ietf.org/doc/html/rfc4226>`_ HOTP algorithm and the YubiKey automatically types the OTP. Optionally, the OTP can be prefixed by a public identity, conforming to the `openauthentication.org Token Identifier Specification <https://openauthentication.org/>`_.

To manage the OATH credentials and read the OTPs generated by the YubiKey, requires the `Yubico Authenticator <https://www.yubico.com/products/yubico-authenticator/>`_. The Yubico Authenticator is supported on Windows, Linux, macOS, Android and iOS.


OATH FIPS-approved Mode with FIPS 140-2 Level 2
================================================

For an application to be in a FIPS-approved mode requires an Authentication Key that protects access to the YubiKey 5 FIPS Series OATH application. To get the permitted values for the following operation, see :ref:`credential-values-label`.

The crypto officer can set the Authentication Key using the ykman CLI.

.. include:: includes/ykman.rst

To set an Authentication Key using the ykman CLI, use the command:

  ``ykman oath access change -n <Authentication Key>``

where ``<Authentication Key>`` is the Authentication Key to be set.