Introductions to the Different YubiKey Series

Throughout the YubiKey Technical Manual different YubiKeys will be referred to as e.g. “YubiKey 5 (FIPS/CSPN) Series”, indicating that a certain specification or feature is available on the YubiKey 5 Series, the YubiKey 5 FIPS Series and the YubiKey 5 CSPN Series, due to the fact that they share the same base hardware and many firmware features.

YubiKey 5 Series

About the YubiKey 5 Series

The YubiKey 5 Series security keys offer strong authentication with support for multiple protocols, including FIDO2, which is the new standard that enables the replacement of password-based authentication. The YubiKey strengthens security by replacing passwords with strong hardware-based authentication using public key cryptography.

  • For those who just want to use a YubiKey without programming anything, the most useful part of this guide will be Understanding the USB Interfaces, which describes how the YubiKey connects, and indicates what it can connect to.

    For an overview on setting up two-step verification in a typical case, see Google on using a security key for 2-step verification.

  • The full list of the services that work with YubiKeys is on Yubico’s Works With YubiKey page.

  • Most of the rest of this guide targets systems integrators, IT teams, or developers who expect to integrate support for YubiKeys into their environment.

All the YubiKeys in the YubiKey 5 Series have the basic functionalities and capabilities described in this guide. However, it is the firmware version that determines which of the more specialized functionalities and capabilities are available to your YubiKey.

YubiKey 5 FIPS Series

Why FIPS?

Federal Information Processing Standards (FIPS) are developed by the United States government for use in computer systems to establish requirements such as ensuring computer security and interoperability. The National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) run the NIST Cryptographic Module Validation Program (CMVP) as a collaborative effort.

FIPS certification demonstrates that a product has gone through a rigorous audit process and adheres to a security standard that can be measured and quantified.

Many government organizations and government contractors are required to use FIPS-approved products, as are highly-regulated industries in general. Other countries also recognize FIPS 140-2. For the US government, the default is that FIPS is required.

Do You Require FIPS Keys?

If you do not have a security auditor, and/or the auditor does not have a compliance requirement, you probably do not need FIPS. The standard line of YubiKeys offers the same security, algorithms and functionality. The standard line also evolves at a much more rapid pace because it does not need to go through an exhaustive validation process, which commonly takes a year or more. Yubico can release standard firmware with new features, enhancements, etc. at any time, whereas FIPS-certified products must go through the FIPS validation process every time there is a change.

About the YubiKey 5 FIPS Series

The YubiKey 5 FIPS Series is FIPS 140-2 certified. It offers strong authentication with support for multiple protocols - including FIDO2, which is the new standard that enables the replacement of password-based authentication. The YubiKey strengthens security by replacing passwords with strong hardware-based authentication using public key cryptography.

The cryptographic functionality of the YubiKey 5 FIPS Series devices is powered by the FIPS 140-2 certified YubiKey 5 cryptographic module, a single-chip cryptographic processor with a non-extractable key store that handles all of the cryptographic operations. The YubiKey 5 cryptographic module is FIPS 140-2 certified, both Level 1 and Level 2 (Physical Security Level 3).

The YubiKey 5 FIPS Series cryptographic module is a secure element that supports multiple protocols designed to be embedded in USB security tokens. The module can generate, store, and perform cryptographic operations for sensitive data and can be utilized via an external touch-button for Test of User Presence in addition to PIN for smart card authentication. The module implements the following major functions, depending on the firmware version you have:

Function Firmware Versions
5.4.2 5.4.3
Yubico One Time Password (OTP) yes yes
OATH OTP authentication yes yes
OpenPGP (version 3.4)
yes
PIV-compatible smart card yes yes
FIDO Universal 2nd Factor (U2F) yes yes
FIDO2 WebAuthn yes yes
YubiHSM Auth
yes
SCP03 yes yes

The YubiKey 5 FIPS Series hardware with the 5.4 firmware is certified as an authenticator under both FIPS 140-2 Level 1 and Level 2. It meets the highest authenticator assurance level 3 (AAL3) of NIST SP800-63B guidance. To use security keys from the YubiKey 5 FIPS Series as a Level 2, more stringent initialization is required than for Level 1. Guidance for Level 2 is set out in detail in the following.

FIPS-specific Aspects of the YubiKey 5 FIPS Series

Distinguishing the YubiKey 5 FIPS Series from the YubiKey 5 Series with the 5.4 firmware are the following configuration changes, set at programming:

Configuration Change Description
Functional
Enforce power-up self-test (firmware integrity and
algorithm testing)
Minimum PIN length
for FIDO2
 6 alphanumeric characters
Identification
(FIDO)
Unique AAGUIDs for the FIDO Attestation
(see AAGUID Values)
Attestation (FIDO)
Attestation certificates for FIDO include
a FIPS OID (1.3.6.1.4.1.41482.12)
FIDO GETINFO
Command returns a listing of FIPS, as well as the
FIPS-specific OIDs in the PIV and FIDO attestation
certificates.*
Attestation (PIV)
Attestation certificates for PIV include
the FIPS Form Factor identifier** in the
Form Factor OID (1.3.6.1.4.1.41482.3.9)
YubiKey Manager Form factor identifies FIPS Series devices.**

* The certifications that are supported by a FIDO authenticator can be returned in the certifications member of an authenticatorGetInfo response as set out in paragraph 7.3.1. Authenticator Actions of the Client to Authenticator Protocol (CTAP) Review Draft of March 09, 2021.

** Form factor is set during manufacturing and returned as a one-byte value. Currently defined values for this are:

Form Factor
Form Factor Standard YubiKey Value Security Key Value (FW 5.4+) FIPS YubiKey Value (FW 5.4+)
UNDEFINED 0x00 N/A N/A
Keychain with USB-A 0x01 0x41 0x81
Nano with USB-A 0x02 N/A 0x82
Keychain with USB-C 0x03 0x43 0x83
Nano with USB-C 0x04 N/A 0x84
Keychain with Lightning and USB-C 0x05 N/A 0x85

Firmware

The YubiKey firmware is separate from the YubiKey itself in the sense that it is put onto each YubiKey in a process separate from the manufacture of the physical key. Nonetheless, it can be neither removed nor altered. Yubico periodically updates the YubiKey firmware to take advantage of features and capabilities introduced into operating systems such as Windows, MacOS, and Ubuntu, etc., as well as to enable new YubiKey features.

The firmware version on a YubiKey or an HSM therefore determines whether or not a feature or a capability is available to that device. The quickest and most convenient way to determine your device’s firmware version is to use the YubiKey Manager tool (ykman), a lightweight software package installable on any OS. The YubiKey Manager has both a graphical user interface (GUI) and a command line interface (CLI).

Yubico has submitted the same firmware - releases 5.4.2 and 5.4.3 - to NIST and it has submitted release 5.4.2 to ANSSI for certification. Both organizations have approved certification.

Security Key Series

Overview

The Security Key Series differs from a YubiKey 5 Series in that it comes only with the FIDO (FIDO2/FIDO U2F) protocol and does not have a serial number. It is only available in USB-A + NFC and USB-C + NFC form factors.

However, the Security Key Series - Enterprise Edition is the same as a Security Key Series but with a serial number to allow for asset tracking. The serial number can be read visually on the back of the key and programatically through the FIDO HID interface. It is only available in USB-A + NFC and USB-C + NFC form factors.

Get started with Security Key Series (video tutorial)

YubiKey Bio Series

The YubiKey Bio Series offers the familiar YubiKey experience users have come to know and trust, but adds the convenience of a new biometric touch feature.

The series is comprised of two keys:

  • The YubiKey Bio - FIDO Edition (USB-A form factor)
  • The YubiKey C Bio - FIDO Edition (USB-C form factor)

Protocols Supported

Both keys in the YubiKey Bio Series support the FIDO authentication protocols, and will work with sites and applications that support the FIDO2 and FIDO U2F protocols (for more information, see YubiKey Bio and FIDO2 and YubiKey Bio and FIDO U2F). FIDO2 (sometimes referred to as WebAuthn) builds upon FIDO U2F, and is the standard which enables the replacement of password-based authentication.

The YubiKey Bio Series provides firmware applications to support two modes of authentication via the FIDO2 and U2F protocols (see YubiKey Bio and FIDO2 and YubiKey Bio and FIDO U2F). Even though the firmware applications are separate from one another, they both share the same PIN and FIDO reset capability. In fact, a FIDO reset will reset both applications (to manage these applications, see Troubleshooting and Tools).

Using the YubiKey Bio

To just start using the keys in the YubiKey Bio Series without going into any details, refer to Yubico’s setup page, which functions as a quick start guide.

The current guide, however, gives:

Usage Notes

The YubiKey Bio implements biometrics as outlined in the CTAP 2.1 specification. The best user experiences are provided by the YubiKey Bio with client applications and browsers that also implement CTAP 2.1. Applications and browsers that implement CTAP 1 or CTAP 2.0 will also work with the YubiKey Bio; however, the UI on client devices will not be as intuitive, and there may be some limitations.

Interfaces and Applications

Interfaces

Like all other YubiKeys, the YubiKey Bio Series are USB 2.0 devices.

Note

Developers: The USB PID and iProduct string are 0x0402 and YubiKey FIDO respectively (see YubiKey USB ID Values).

Applications

All keys in the YubiKey Bio Series support WebAuthn sites and applications that support the FIDO2 and FIDO U2F protocols (for more information, see YubiKey Bio and FIDO2 and YubiKey Bio and FIDO U2F). FIDO2 (also sometimes referred to as WebAuthn) is also the standard that enables the replacement of password-based authentication.

Each application can be enabled and disabled independently. Up to five fingerprints can be stored on a YubiKey Bio. For management, see Tools.

YubiKey 5 CSPN Series

Scope

The aim of this document is to describe how to configure and use the YubiKey 5 in a mode such that it is compliant with CSPN (“Certificat de Sécurité de Premier Niveau” [RD1]).

For each YubiKey application which will require specific configuration, there will be a short introduction, followed by the required settings to achieve the target, and finally, a technical description of the configuration itself.

References

Code Document title Reference
[RD1] Certification de sécurité de premier niveau des technologies de l’information https://www.ssi.gouv.fr/administration/produits-certifies/cspn/
[RD2] Certification Report BSI-DSZ-CC-0879-V4-2020 https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/CC/SmartCards_IC_Cryptolib/0879_0879V2_0879V3_0879V4.html
[RD3] FIDO2: WebAuthn & CTAP https://fidoalliance.org/fido2/
[RD4] NIST Special Publication 800-73 (PIV) https://csrc.nist.gov/publications/detail/sp/800-73/4/final
[RD5] RFC 4226, An HMAC-Based One-Time Password Algorithm https://tools.ietf.org/html/rfc4226
[RD6] T/Key: Second-Factor Authentication From Secure Hash Chains https://arxiv.org/pdf/1708.08424.pdf
[RD7] Universal 2nd Factor (U2F) Overview https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html
[RD8] W3C WebAuthn standard https://www.w3.org/TR/webauthn-2/
[RD9] YubiKey CSPN security target https://www.ssi.gouv.fr/uploads/2021/09/anssi-cible-cspn-2021_18en.pdf

Acronyms

Acronym Description
2FA Two-Factor Authentication
AES Advanced Encryption Standard
BSI Bundesamt für Sicherheit in der Informationstechnik
CC Common Criteria
CCID Chip Card Interface Device
CSPN Certificat de Sécurité de Premier Niveau
CTAP2 Client to Authenticator Protocol v2
DES Data Encryption Standard
FIDO Fast Identity Online
HMAC Hash-Based Message Authentication Code
HOTP HMAC-Based One Time Password
NIST National Institute of Standards and Technology
OATH Open AuTHentication
OTP One Time Password
PIV Personal Identity Verification
PBKDF2 Password Based Key Derivation Function
PIN Personal Identification Number
PIV Personal Identity Verification
PUK PIN Unblocking Key
SHA Secure Hash Algorithm
TOTP Time-Based One Time Password
U2F Universal Second Factor
RFC Request For Comments
W3C World Wide Web Consortium

To get in touch with Yubico Support, click here.