FIPS Version Changes and Requirements Comparison
The table highlights changes between FIPS 140-3 Level 3, 140-2 Level 2, and 140-2 Level 1.
Each newer version and level of the FIPS 140 includes the requirements of the previous version and level. Therefore each left most column lists only the differences between the next column. For example, FIPS 140-3 Level 2 includes requirements of FIPS 140-2 Level 2 and FIPS 140-2 Level 1. FIPS 140-2 Level 2 includes requirements of FIPS 140-2 Level 1.
YubiKey
Function
|
FIPS 140-3 Level 2
|
FIPS 140-2 Level 2
|
FIPS 140-2 Level 1
|
|---|---|---|---|
| FIDO2 | - FIDO2 PIN required with
minimum 8 characters
- alwaysUV permanently enabled
- U2F disabled on FIPS-capable
devices. Use FIDO2 functions
instead.
- PIN Protocol v2 required over
NFC.
- Requires application be in
FIPS Approved Mode to create
credentials
|
- Set a PIN.
- Set Credential Protection to
level 2 for all discoverable
credentials.
- Credential Registration is not
allowed over NFC.
|
No additional requirements |
| OATH | - Access code required with
minimum 14 bytes.
- Configuration over NFC
requires
SET CODE, PUTcommands go through a secure
channel (SCP03 or SCP11)
- Requires application be in
FIPS Approved Mode to create
credentials
|
- Set the Management key.
- When setting the Management key
over USB or NFC, use a secure
channel.
- When writing a credential over
USB or NFC, use a secure channel.
|
If writing a credential
over NFC, use a secure
channel.
|
| OpenPGP | - User PIN, Admin PIN, and
Reset Code (if set) must be
minimum of 8 characters
- RSA decryption, X25519 and
SECP256k1 are blocked.
- All operations over NFC
must go through a secure
channel (SCP03 or SCP11)
- Requires application be in
FIPS Approved Mode to create
credentials
|
No additional requirements | No additional requirements |
OTP
Touch-
Triggered
|
Not validated for FIPS 140-3 | - Set Access code for both OTP
slots.
- If updating a configuration of
either OTP slot or the NDEF
behavior, use a secure channel.
|
If writing a configuration
to a slot over NFC, use a
secure channel.
|
| PIV | - Requires changing default
PIN and PUK to 8 character
minimum.
- Requires changing Management
Key to AES key.
- RSA1024, TDES (3DES), and
X25519 are blocked.
- Cannot set the Management
Key to TDES.
- All operations over NFC
must go through a secure
channel (SCP03 or SCP11)
- Requires application be in
FIPS Approved Mode to create
credentials
|
- Change Management key, PIN, PUK
from default values.
- For any operation with the PIV
function over NFC, use a secure
channel.
|
If importing a key or
setting the management key,
use a secure channel.
|
Secure
Domain
Channel
|
- SCP03 and SCP11
- Requires changing default
key set
- USB restriction: Until the
application is in FIPS Approved
Mode, the default key set can
only be used to establish a
secure channel with the Security
Domain itself, only for the
purpose of loading a new key
set, and this operation must be
performed exclusively over USB.
|
- SCP03 only
- Requires changing default
key set
|
- SCP03 only
- Requires changing default
key set
|
| U2F | U2F disabled on FIPS-capable
devices
|
- Must be not be used.
- Recommendation: Disable and use
the FIDO2 function instead.
|
No additional requirements |
| YubiHSM Auth | - Requires changing default
admin code
- All operations over NFC
must go through a secure
channel (SCP03 or SCP11)
- Requires application be in
FIPS Approved Mode to create
credentials
|
No additional requirements | No additional requirements |