FIPS 140-2 Level 2 Changes and Configuration
The YubiKey 5 FIPS Series is certified in two modes of operations:
- Configuration which meets the requirements for FIPS Level 1
- More restricted configuration that meets the requirements for FIPS Level 2.
The FIPS Level 2 configuration renders keys in the YubiKey 5 FIPS Series capable of being a component in a framework meeting the highest levels of authentication assurance. However, not every deployment requires this level of security. In cases where a FIPS-certified device is required, but a lower level of assurance is acceptable, the FIPS Level 1 configuration can be used. This provides a user experience like the standard YubiKey 5 Series user experience.
FIPS 140-2 Initialization Comparison: Level 1 vs Level 2
The FIPS Level 2 requirements include all the those for Level 1. Therefore the FIPS Level 2 column in the table below lists only the differences.
YubiKey
Function
|
FIPS Level 1 | FIPS Level 2 |
|---|---|---|
| FIDO2 | No additional requirements | Set a PIN.
Set Credential Protection to
level 2 for all discoverable
credentials.
Credential Registration is not
allowed over NFC.
|
| OATH | If writing a credential
over NFC, use a secure
channel.
|
Set the Management key.
When setting the Management key
over USB or NFC, use a secure
channel.
When writing a credential over USB
or NFC, use a secure channel.
|
OTP
Touch-
Triggered
|
If writing a configuration
to a slot over NFC, use a
secure channel.
|
Set Access code for both OTP slots.
If updating a configuration of
either OTP slot or the NDEF
behavior, use a secure channel.
|
| PIV | If importing a key or
setting the management key,
use a secure channel.
|
Change Management key, PIN and PUK
from default values.
For any operation with the PIV
function over NFC, use a secure
channel.
|
Secure
Channel
|
Change the default
transport keys from default
|
No additional requirements |
| U2F | No additional requirements | Must be not be used.
Recommendation: Disable and use
the FIDO2 function instead.
|
FIPS 140-2 Level 2 Configuration
Security Level 2 includes all of the requirements for FIPS Level 1, but further enforces enhanced physical security mechanisms and a separation of functions with regard to role-based authentication. Security Level 2 allows an authenticator to be used on a general purpose computing system with an operating system that has been evaluated at EAL2 with role-based access control mechanisms and comprehensive auditing.
The role-based authentication minimum requirement is that a cryptographic module authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services. A Security Officer role is required for services such as importing or generating new credentials or programming new OTP secrets on a YubiKey. The User role covers the actual usage of programmed credentials for authentication. The Crypto Officer role is that of “a cryptographic officer [who] is authorized to perform cryptographic initialization and management functions on a CKMS [Cryptographic Key Management System] and its cryptographic modules.” (Quote taken from SP 800-130 (DOI).)
To act in an Overall Security Level 2 environment, a YubiKey must be configured in a FIPS-approved mode of operation or receive an exemption from the security auditor.
Note
To load key data over NFC requires a secure channel. For more information on Secure Channel (SCP03) in connection with YubiKeys, see Yubico Secure Channel Technical Description. For more information on SCP03 requirements from NIST, see NIST Special Publication 800-63C and NIST Special Publication 800-63B.
For a YubiKey 5 FIPS Series to be operating as a security key in FIPS-approved mode, in a FIPS 140-2 Level 2 authenticator in a FIPS environment, all of the applications must be in a FIPS-approved operation mode.
By default, not all of the applications on the YubiKey 5 FIPS Series are in FIPS operation mode. Before deploying the YubiKey 5 FIPS Series in a secured environment to end-users, the person with the crypto officer role must define and supervise an initialization and delivery process that ensures that each application on the YubiKey 5 FIPS Series is in a FIPS-approved operation mode.
Every function of the YubiKey must require permissions defined by a role. In practice, this is accomplished by setting the access codes, management keys, passwords, PINs, etc. for every function on the YubiKey.
To ensure that each application is in a FIPS-approved mode of operation, use the ykman CLI. Install the most recent version of the ykman, see ykman releases, because the YubiKey Manager GUI includes an older version of the ykman CLI.
- Download and install the latest version of YubiKey Manager (ykman), from ykman Releases. For GUI access, we recommend you use the Yubico Authenticator. The YubiKey Manager GUI is end of life.
- YubiKey Manager (ykman) CLI Guide
| OTP: | OATH and WebAuthn: To be in a FIPS-approved mode, the OTP, OATH and FIDO2 (WebAuthn) applications must have their respective credentials set. |
|---|---|
| PIV: | The PIV application has its credentials set to default values, and is therefore already in a FIPS-approved mode. |
| U2F: | Using U2F is not allowed when the YubiKey 5 FIPS Series is deployed as a 140-2 Level 2 authenticator. |
Note
It is highly recommended that all the credentials across all the applications be changed from the default values before the YubiKey 5 FIPS Series device is deployed to the end user, even if FIPS 140-2 Level 2 does not explicitly require it.