FIPS 140-3 Changes

The YubiKey 5 FIPS Series based on the 5.7.x firmware has a number of changes for FIPS 140-3. The most notable of these changes is that the FIPS-specific requirements are now enforced by the YubiKey.

Important

YubiKeys are shipped with FIPS approved mode OFF. The protocols and applications listed for FIPS 140-3 cannot create credentials until the YubiKeys are put in FIPS approved mode. See Initializing the Approved Mode.

High-Level FIPS 140-3 Changes to YubiKey

  • Hardware-Enforced Compliance: The most notable change in FIPS 140-3 is that FIPS-specific requirements are now strictly enforced by the YubiKey itself.
  • No Pre-Validation Credential Creation: The device explicitly refuses to create credentials across any application until it is securely configured and in FIPS Approved Mode.
  • Stricter PIN Requirements: FIDO2, PIV, and OpenPGP now strictly enforce an 8-character minimum PIN length. PIN complexity is enabled by default to adhere to NIST SP800-63b guidelines.
  • Larger Key Sizes: To meet enterprise and Department of Defense (DoD) demands, the YubiKey supports larger key sizes to provide superior protection until Post-Quantum Cryptography matures.

For FIPS 140-3 configuration changes and additional FIPS Approved Mode information, see FIPS 140-3 Configuration.

FIDO2 Changes for FIPS 140-3

  • Requires a FIDO2 PIN of at least 8 characters.
  • Always Require User Verification (UV), alwaysUV, is permanently enabled and strictly enforced for operations.
  • U2F functionality is disabled on FIPS-capable devices under the 140-3 standard. Use FIDO2 functions instead.
  • PIN Protocol v2 must be over NFC.
  • Requires the application is in FIPS Approved Mode to create credentials. The device refuses to create credentials until it is in FIPS Approved Mode.

FIPS Approved Mode

Putting a FIDO2 application in FIPS Approved Mode, requires that you:

  • Set the FIDO2 PIN and it is at least 8 characters.

OATH Changes for FIPS 140-3

  • Requires an access code of at least 14 bytes.
  • Executing SET CODE and PUT commands over NFC, requires a secure channel (SCP03 or SCP11).
  • Requires the application is in FIPS Approved Mode to create credentials. The device refuses to create credentials until it is in FIPS Approved Mode.

FIPS Approved Mode

Putting an OATH application in FIPS Approved Mode, requires that you:

  • Set the access code and it is at least 14 bytes.

Open PGP Changes for FIPS 140-3

  • Requires changing the default User PIN, Admin PIN, and Reset Code (if set) to a minimum of 8 characters. Changing user PIN, admin PIN or Reset Code to a value shorter than 8 characters is blocked.
  • RSA decryption, X25519, and SECP256k1 are blocked.
  • Requires all operations over NFC go through a secure channel (SCP03 or SCP11).
  • Requires the application is in FIPS Approved Mode to create credentials. The device refuses to create credentials until it is in FIPS Approved Mode.

FIPS Approved Mode

Putting an OpenPGP application in FIPS Approved Mode, requires that you:

  • Change the default user PIN to a minimum 8 character value.
  • Change the default admin PIN to a minimum 8 character value.
  • If the Reset Code is set, it has at least 8 characters.

PIV Changes for FIPS 140-3

  • Requires changing the default PIN and PUK to 8-character values. Requires changing the Management Key to an AES key.
  • RSA1024, TDES (3DES), and X25519 are blocked algorithms. Cannot set the Management Key to TDES.
  • Requires all operations performed over NFC go through a secure channel (SCP03 or SCP11).
  • Requires the application is in FIPS Approved Mode to create credentials. The device refuses to create credentials until it is in FIPS Approved Mode.

FIPS Approved Mode

Putting a PIV application in FIPS Approved Mode, requires that you:

  • Change the default PIN to an 8 character value.
  • Change and keep the default PUK to an 8 character value.
  • Change the default Management Key to an AES key.

Security Domain (SCP03 and SCP11) Changes for FIPS 140-3

  • Requires changing the default key set.

  • Requires the application is in FIPS Approved Mode to create credentials.

    Until the application is in FIPS Approved Mode, the default key set can only be used to establish a secure channel with the Security Domain itself and only for the purpose of loading a new key set. This operation must be performed over USB.

FIPS Approved Mode

Putting a Security Domain application in FIPS Approved Mode, requires that you:

  • Change the default key set.

YubiHSM Auth Changes for FIPS 140-3

  • Requires changing the default admin code.
  • Requires all operations performed over NFC go through a secure channel (SCP03 or SCP11).
  • Requires the application is in FIPS Approved Mode to create credentials. The device refuses to create credentials until it is in FIPS Approved Mode.

FIPS Approved Mode

Putting a YubiHSM Auth application in FIPS Approved Mode, requires that you:

  • Change the default admin code.