.. yk-intro.rst .. _yk-intro-label: ============================================== Introduction to the Different YubiKey Series ============================================== Where applicable, throughout this guide, the YubiKey 5 Series, the YubiKey Bio Series, the YubiKey 5 FIPS Series and the YubiKey 5 CSPN Series are referred to collectively as the **YubiKey 5 (FIPS/CSPN) Series**. This label indicates that a certain specification or feature is available on all these Series. This is possible because they all share the same base hardware and many firmware features. This topic introduces: * :ref:`yk5-intro-label` * :ref:`fips-intro-label` * :ref:`bio-intro-label` * :ref:`cspn-5-intro-label` * :ref:`fw-gen-label` * :ref:`sky-intro-label` .. _yk5-intro-label: YubiKey 5 Series ================== About the YubiKey 5 Series -------------------------- The YubiKey 5 Series security keys offer strong authentication with support for multiple protocols, including FIDO2, which is the new standard that enables the replacement of password-based authentication. The YubiKey strengthens security by replacing passwords with strong hardware-based authentication using public key cryptography. * For those who just want to use a YubiKey without programming anything, the most useful part of this guide is :ref:`yk5-usb-interfaces-label`. This topic describes how the YubiKey connects and indicates what it can connect to. For an overview on setting up two-step verification in a typical case, see `Google on using a security key for 2-step verification `_. * The full list of the services that work with YubiKeys is on Yubico's `Works With YubiKey `_ page. * Most of the rest of this guide targets systems integrators, IT teams, or developers who expect to integrate support for YubiKeys into their environment. All the YubiKeys in the YubiKey 5 Series have the basic functionalities and capabilities described in this guide, with the :ref:`yk5-apps-label` chapter listing these by protocol: * :ref:`fido-two-label` * :ref:`piv-smart-card-label` * :ref:`oath-label` * :ref:`yk5-apps-openpgp-label` * :ref:`otp-label` * :ref:`yubihsm-auth-label`. However, it is the firmware version that determines which of the more specialized functionalities and capabilities are available on your YubiKey. See :ref:`fw-gen-label`. .. _fips-intro-label: YubiKey 5 FIPS Series ====================== Why FIPS? --------- Federal Information Processing Standards (FIPS) are developed by the United States government for use in computer systems to establish requirements such as ensuring computer security and interoperability. The `National Institute of Standards and Technology (NIST) `_ and the Canadian Centre for Cyber Security (CCCS) run the NIST Cryptographic Module Validation Program (CMVP) as a collaborative effort. FIPS certification demonstrates that a product has gone through a rigorous audit process and adheres to a security standard that can be measured and quantified. Many government organizations and government contractors are required to use FIPS-approved products, as are highly-regulated industries in general. Other countries also recognize FIPS 140-2. For the U.S. government, the default is that FIPS is **required**. Do You Require FIPS Keys? ------------------------- If you do not have a security auditor, and/or the auditor does not have a compliance requirement, you probably do not need FIPS. The standard line of YubiKeys (the non-FIPS series) offers the same security, algorithms, and functionality. The standard line also evolves at a much more rapid pace because it does not need to complete an exhaustive validation process, which commonly takes a year or more. Yubico can release standard firmware with new features and enhancements at any time, whereas FIPS-certified products must go through the FIPS validation process every time there is a firmware change. About the YubiKey 5 FIPS Series ------------------------------- The YubiKey 5 FIPS Series is FIPS 140-2 certified. It offers strong authentication with support for multiple protocols, including FIDO2, which is the new standard that enables the replacement of password-based authentication. The YubiKey strengthens security by replacing passwords with strong hardware-based authentication using public key cryptography. The cryptographic functionality of the YubiKey 5 FIPS Series devices is powered by the YubiKey 5 cryptographic module, a single-chip cryptographic processor with a non-extractable key store that handles all of the cryptographic operations. The YubiKey 5 cryptographic module is FIPS 140-2 certified, both Level 1 and Level 2 (Physical Security Level 3). The YubiKey 5 FIPS Series cryptographic module is a security feature that supports multiple protocols designed to be embedded in USB security tokens. The module can generate, store, and perform cryptographic operations for sensitive data. It is accessed through an external touch-button for **Test of User Presence** in addition to PIN for smart card authentication. The module implements the following major functions, depending on the firmware version on the YubiKey. .. table:: YubiKey 5 FIPS Series Cryptographic Module Major Functions +-------------------------------------+-------------------+ |Function |Firmware Versions | | +--------+----------+ | |5.4.2 |5.4.3 | +=====================================+========+==========+ |Yubico One Time Password (OTP) |yes |yes | +-------------------------------------+--------+----------+ |OATH OTP authentication |yes |yes | +-------------------------------------+--------+----------+ |OpenPGP (version 3.4) |- |yes | +-------------------------------------+--------+----------+ |PIV-compatible smart card |yes |yes | +-------------------------------------+--------+----------+ |FIDO Universal 2nd Factor (U2F) |yes |yes | +-------------------------------------+--------+----------+ |FIDO2 WebAuthn |yes |yes | +-------------------------------------+--------+----------+ |YubiHSM Auth |- |yes | +-------------------------------------+--------+----------+ |SCP03 |yes |yes | +-------------------------------------+--------+----------+ The YubiKey 5 FIPS Series hardware with the 5.4 firmware is certified as an authenticator under both FIPS 140-2 Level 1 and Level 2. It meets the highest authenticator assurance level 3 (AAL3) of NIST SP800-63B guidance. To use security keys from the YubiKey 5 FIPS Series as a Level 2, more stringent initialization is required than for Level 1. Guidance for Level 2 is detailed in :ref:`fips5-deploy-label`. .. The same hardware with the 5.7.x firmware is being submitted for certification as FIPS 140-2 Level 3 (see :ref:`fips-140-2-3`). FIPS-specific Aspects of the YubiKey 5 FIPS Series -------------------------------------------------- The table below lists the YubiKey 5 FIPS Series with the 5.4 firmware configuration changes that are set at programming. These are in addition to the configuration options available in the YubiKey 5 FIPS Series. .. table:: YubiKey 5 FIPS Series 5.4 Firmware Configuration Changes +---------------------+-----------------------------------------------------+ |Configuration Change |Description | +=====================+=====================================================+ |Functional | | Enforce power-up self-test (firmware integrity and| | | | algorithm testing) | +---------------------+-----------------------------------------------------+ | | Minimum PIN length|6 alphanumeric characters | | | for FIDO2 | | +---------------------+-----------------------------------------------------+ | | Identification | | Unique AAGUIDs for the FIDO Attestation | | | (FIDO) | | (see **AAGUID Values** in :ref:`fido-two-label`) | +---------------------+-----------------------------------------------------+ |Attestation (FIDO) | | Attestation certificates for FIDO include | | | | a FIPS OID (1.3.6.1.4.1.41482.12) | +---------------------+-----------------------------------------------------+ |FIDO ``GETINFO`` | | Command returns a listing of FIPS, as well as the | | | | FIPS-specific OIDs in the PIV and FIDO attestation| | | | certificates (see :ref:`Footnote 1 `).| +---------------------+-----------------------------------------------------+ |Attestation (PIV) | | Attestation certificates for PIV include | | | | the FIPS Form Factor identifier** in the | | | | Form Factor OID (1.3.6.1.4.1.41482.3.9) | +---------------------+-----------------------------------------------------+ |YubiKey Manager | | Form factor identifies FIPS Series devices (see | | | | :ref:`Footnote 2 `). | +---------------------+-----------------------------------------------------+ .. _fn-1-label: **Footnote 1** The certifications that are supported by a FIDO authenticator can be returned in the `certifications `_ member of an `authenticatorGetInfo `_ response as set out in `paragraph 7.3.1. Authenticator Actions `_ of the `Client to Authenticator Protocol (CTAP) Review Draft of March 09, 2021 `_. .. _fn-2-label: **Footnote 2** Form factor is set during manufacturing and returned as a one-byte value. Currently defined values for this are set out in the *Form Factor* table below: .. table:: Form Factor +------------------+----------------+------------------+------------------+ || Form Factor || Standard || Security Key || FIPS YubiKey | || || YubiKey Value || Value, FW 5.4+ || Value, FW 5.4+ | +==================+================+==================+==================+ | UNDEFINED | 0x00 | N/A | N/A | +------------------+----------------+------------------+------------------+ | Keychain, USB-A | 0x01 | 0x41 | 0x81 | +------------------+----------------+------------------+------------------+ | Nano, USB-A | 0x02 | N/A | 0x82 | +------------------+----------------+------------------+------------------+ | Keychain, USB-C | 0x03 | 0x43 | 0x83 | +------------------+----------------+------------------+------------------+ | Nano, USB-C | 0x04 | N/A | 0x84 | +------------------+----------------+------------------+------------------+ || Keychain with | 0x05 | N/A | x85 | || Lightning, USB-C| | | | +------------------+----------------+------------------+------------------+ .. _bio-intro-label: YubiKey Bio Series ================== The YubiKey Bio Series offers the familiar YubiKey experience users have come to know and trust, but adds the convenience of a new biometric touch feature. The series is comprised of two keys: * The YubiKey Bio - FIDO Edition (USB-A form factor) * The YubiKey C Bio - FIDO Edition (USB-C form factor) Protocols Supported ------------------- Both keys in the YubiKey Bio Series support the FIDO authentication protocols, and work with sites and applications that support the FIDO2 and FIDO U2F protocols (for more information, see :ref:`bio-fido2-label` and :ref:`bio-u2f-label`). FIDO2 (sometimes referred to as WebAuthn) builds upon FIDO U2F, and is the standard that enables the replacement of password-based authentication. The YubiKey Bio Series provides firmware applications to support two modes of authentication through the FIDO2 and U2F protocols (see :ref:`bio-fido2-label` and :ref:`bio-u2f-label`). Even though the firmware applications are separate from one another, they both share the same PIN and FIDO reset capability, which is to say that a FIDO ``reset`` resets both applications. To manage these applications, see :ref:`bio-tools-label`. Using the YubiKey Bio --------------------- For a quick start to using the YubiKey Bio Series, without a lot of details, see `Yubico's setup page `_. This guide, the *YubiKey Technical Manual*, provides: * An explanation of the way the YubiKey Bio works (see :ref:`bio-how-it-works-label`) and descriptions of the different user experiences with the various protocols (see :ref:`bio-user-experience-label`). * Full instructions for enrolling fingerprints using platform support: * :ref:`bio-chrome-enrolling-label` and * :ref:`bio-microsoft-enrolling-label` * Brief descriptions of the protocols supported, in: * :ref:`bio-fido2-label` and * :ref:`bio-u2f-label` * A brief explanation of the role the `Yubico Authenticator `_ plays in managing the YubiKey Bio. Usage Notes ----------- The YubiKey Bio implements biometrics as outlined in the `CTAP 2.1 specification `_. The best user experiences are provided by the YubiKey Bio with client applications and browsers that also implement CTAP 2.1. Applications and browsers that implement CTAP 1 or CTAP 2.0 also work with the YubiKey Bio. However, the UI on client devices is not as intuitive and there might be some limitations. .. _bio-supported-protocols-label: Interfaces and Applications --------------------------- Interfaces ~~~~~~~~~~ Like all YubiKeys, the YubiKey Bio Series are USB 2.0 devices. .. Note:: **Developers**: The USB PID and iProduct string are ``0x0402`` and ``YubiKey FIDO`` respectively. See `YubiKey USB ID Values `_. Applications ~~~~~~~~~~~~ All keys in the YubiKey Bio Series support WebAuthn sites and applications that support the FIDO2 and FIDO U2F protocols. For more information, see :ref:`bio-fido2-label` and :ref:`bio-u2f-label`. FIDO2 (also known as WebAuthn) is the standard that enables the replacement of password-based authentication. Each application can be enabled and disabled independently. Up to five fingerprints can be stored on a YubiKey Bio. For management, see :ref:`bio-troubleshooting-tools-label`. ---- .. _cspn-5-intro-label: YubiKey 5 CSPN Series ===================== Instructions on how to configure and use the YubiKey 5 in compliance with CSPN (“Certificat de Sécurité de Premier Niveau” [RD1]) are given in :ref:`cspn-specifics-label`. For each YubiKey application that requires specific configuration, there is a short introduction, the required settings to achieve the target, and a technical description of the configuration. References ---------- .. table:: +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ | Code |Document title |Reference (Link) | +======+===============================+==================================================================================================================+ |[RD1] || Certification de sécurité |https://cyber.gouv.fr/produits-certifies/yubikey-5-series-version-firmware-542 | | || de premier niveau des | | | || technologies de l'information| | +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ |[RD2] || Certification Report |https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/CC/SmartCards_IC_Cryptolib/0879_0879V2_0879V3_0879V4_0879V5.html| | || BSI-DSZ-CC-0879-V4-2020 | | | || | | | || | | +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ |[RD3] |FIDO2: WebAuthn & CTAP |https://fidoalliance.org/fido2/ | +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ |[RD4] || NIST Special Publication |https://csrc.nist.gov/publications/detail/sp/800-73/4/final | | || 800-73 (PIV) | | | || | | +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ |[RD5] || RFC 4226, An HMAC-Based One- |https://tools.ietf.org/html/rfc4226 | | || Time Password Algorithm | | +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ |[RD6] || T/Key: Second-Factor |https://arxiv.org/pdf/1708.08424.pdf | | || Authentication From Secure | | | || Hash Chains | | +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ |[RD7] || Universal 2nd Factor (U2F) |https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html | | || Overview | | +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ |[RD8] |W3C WebAuthn standard |https://www.w3.org/TR/webauthn-2/ | +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ |[RD9] |YubiKey CSPN security target |https://cyber.gouv.fr/produits-certifies/yubikey-5-series-version-firmware-542 | +------+-------------------------------+------------------------------------------------------------------------------------------------------------------+ .. _fw-gen-label: Firmware ======== For a summary overview of the firmware features, see :ref:`firmware-label`, which includes the capability matrices, listing the features and form factors available per firmware version for each of the products in the YubiKey 5 Series and the Security Key Series. For more in-depth information about: * the most recent firmware release, see :ref:`5.7-fw-specs`. * the firmware prior to the current release, see :ref:`fw-before-5.6.x-label` .. include:: includes/firmware-overview.rst NIST: FIPS ---------- Yubico submitted the firmware for releases 5.4.2 and 5.4.3 to NIST and the organization approved the certification. The certificates can be found `here `_. For more information about the YubiKey 5 FIPS Series, see :ref:`fips-specifics-label`. ANSI: CSPN ---------- Yubico submitted release 5.4.2 to ANSSI for certification and the organization approved the certification. For more information about the YubiKey 5 CSPN Series, see :ref:`cspn-5-intro-label`. .. For more specialized requirements, refer to the guides for the tools for YubiKey configuration, described more fully in :ref:`yk5-tools-label`. ---- .. _sky-intro-label: Security Key Series =================== The *Security Key Series* differs from a YubiKey 5 Series in that it comes only with the FIDO (FIDO2/FIDO U2F) protocol and the non-Enterprise Edition does not have a serial number. It is only available in USB-A + NFC and USB-C + NFC form factors. The *Security Key Series - Enterprise Edition* is the same as the *Security Key Series* but includes a serial number to enable asset tracking. The serial number is on the back of the key and can also be read programmatically through the FIDO HID interface. It is only available in USB-A + NFC and USB-C + NFC form factors. .. table:: Form Factor +------------------+----------------------+-----------------------+----------------------+-----------------------+ || Capability || Security Key Series || Security Key Series || Security Key Series || Security Key Series | || || 5.0.x-5.4.x || - Enterprise Edition || 5.7.x || - Enterprise Edition | || || || 5.4.x || || 5.7.x | +==================+======================+=======================+======================+=======================+ | Serial Number | No | Yes | No | Yes | | | | | | | +------------------+----------------------+-----------------------+----------------------+-----------------------+ || Serial Number | No | No | No | Yes | || over CCID | | | | | +------------------+----------------------+-----------------------+----------------------+-----------------------+ || PIN Complexity | No | No | No | Yes | || | | | | | +------------------+----------------------+-----------------------+----------------------+-----------------------+ Serial Number over CCID ----------------------- The serial number of the Yubico Security Key is retrievable without Windows elevated privileges since the YubiKey Management Application is exposed over CCID. This change was introduced in 5.7.0. Video Tutorial -------------- `Get started with Security Key Series `_ ---- Click for `Yubico Support `_. .. The features and capabilities made available by the 5.4 firmware are described in :ref:`firmware-label`. .. For more specialized requirements, refer to the guides for the tools for YubiKey configuration, described more fully in :ref:`yk5-tools-label`.