.. yk5-overview-5.4.x.rst .. _firmware-label: =================================================== Firmware Overview =================================================== YubiKey 5 Series ================ 5.7 Firmware ------------ The new 5.7. firmware for the YubiKey 5 Series has a number of new and improved features that will be available for the first time on the multi-protocol YubiKey 5. The changes and additions are described in detail in :ref:`5.7-fw-specs`. In addition to the features that are directly accessible, there are a number of features that require partner support. .. include:: includes/firmware-overview.rst The features, capabilities, and enhancements of the YubiKey 5 Series that are dependent on firmware version are listed below in the :ref:`Firmware Capability Matrix `. YubiKey 5 FIPS Series ===================== .. _5.7.4-fw: 5.7.4 Firmware -------------- Yubico is releasing a new firmware version, 5.7.4, for the submission to CMVP for FIPS 140-3 validation. The same hardware - namely all the YubiKeys in the 5 FIPS Series - is being submitted for certification as FIPS 140-3 Overall Level 2 and Physical Level 3 (see :ref:`fips-140-2-3`). Yubico's aim in releasing this new firmware is to bring the new enterprise-focused features to users that require FIPS-certified authenticators. Because the 5.7.4 firmware has not yet been evaluated by NIST these keys are not FIPS keys as such. (Once we submit to NIST's Cryptographic Module Validation Program, customers will be able to check the `Modules In Process List `_ list for updates on its progress through the program.) YubiKeys with our 5.7.4 firmware will therefore have all the same functions as our FIPS keys, which is why this firmware is listed in the :ref:`fips-functions-table` table below, even though it is not formally certified as FIPS and not yet acceptable in a FIPS environment. .. Note: FIPS 140-2 is a regulation that will be deprecated in May 2026. At that point, auditors typically recommend that authenticators certified under FIPS 140-2 not be deployed in new deployments. They can continue to be used in existing deployments, but authenticators deployed in new environments must have a valid certificate that is not expired. FIPS 140-2 is being replaced by FIPS 140-3, therefore any new submissions must fulfill the FIPS 140-3 requirements. The new features in 5.7.4 are: * Enterprise Attestation to support use cases such as derived FIDO credentials * FIDO2, PIV and OpenPGP minimum PIN length is now 8 * PIN complexity is on by default to adhere to `NIST Special Publication 800-63B `_ (and `800-63B-4 `_) Larger keys sizes will provide better protection than smaller key sizes until Post-Quantum-Cryptography is mature. The FIPS 140-3 requirements are very different from those of FIPS 140-2. For a detailed description of those requirements, see :ref:`fips-140-2-3`. .. _pre-5.7.4-fw: 5.6 and 5.7 Firmware Prior to 5.7.4 ----------------------------------- The new 5.7. firmware for the YubiKey 5 Series has a number of new and improved features that will be available for the first time on the multi-protocol YubiKey 5. The changes and additions are described in detail in :ref:`5.7-fw-specs`. In addition to the features that are directly accessible, there are a number of features that require partner support. .. include:: includes/firmware-overview.rst The features, capabilities, and enhancements of the YubiKey 5 Series that are dependent on firmware version are listed in the :ref:`Firmware Capability Matrix `. An example of a feature made available by firmware is the NFC function with firmware 5.7 not being activated until the YubiKey is plugged into a device. Plugging it in activates the NFC function. For more detail on this specific feature, see :ref:`restricted-nfc`. ======= .. _sky-ent: Security Key Series =================== The Security Key Series - including Enterprise Edition - will be updated with the latest firmware, including the updates from FIDO listed above. The Enterprise Edition will have the following additional updates: * Minimum PIN length set to 6 * PIN Complexity turned on by default (and cannot be turned off) * Serial number retrievable by client software in Windows without requiring elevated privileges (admin rights) since the YubiKey management application is accessible via CCID, which enables use cases where client software needs to read the serial number of the authenticator. .. _fw-capability-matrix: .. include:: includes/history_separated.rst ---------- Click for `Yubico Support `_.