Deploying the YubiKey 5 FIPS Series

The YubiKey 5 FIPS Series keys are certified under FIPS 140-2 Level 1 and FIPS 140-2 Level 2. Keys in this series have two certificates, each corresponding to a different level of certification, but both certificates apply to the same keys. The YubiKey chipset is certified at FIPS 140-2 Physical Security Level 3. This provides both tamper-evidence and tamper-resistance. In turn, this means the YubiKey 5 FIPS Series keys can be used in an Overall Security Level 1 or 2 environment without issue. Depending on which certification the YubiKey 5 FIPS Series is being deployed under, there are different requirements for securing the various functions. To review the differences between the considerations and requirements for a FIPS 140-2 Level 1 authenticator and those for a FIPS 104-2 Level 2 authenticator, see FIPS 140-2 Level 2 Changes and Configuration.

NIST SP 800-63-B provides guidance on the level required for your deployment.

In cases where only Level 1 is required, the end-user experience with a YubiKey 5 FIPS Series is similar to that of a user with a key from the YubiKey 5 Series. The user experience with YubiKey 5 FIPS Series deployed under FIPS 140-2 Level 2 is more complicated.

NIST classified the YubiKey 5 Series FIPS as “composite authenticators”. As such, no device in this series can be taken out of the FIPS-approved mode after initialization without zeroing the function. This means that once the YubiKey is correctly configured, it remains in the correct configuration. This renders the --check-fips command unnecessary. If the crypto officer ensures that the YubiKey 5 Series FIPS devices are correctly configured at initialization, they remain in FIPS-approved mode.