FIDO Configuration with FIPS

YubiKey 5 FIPS Series support FIDO U2F and FIDO2 WebAuthn.

FIDO2 (WebAuthn)

Like FIDO U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing resistant two-factor authentication, the FIDO2 application on the YubiKey enables storing resident credentials. Resident credentials can accommodate the username and other data, this enables truly passwordless authentication. Keys in the YubiKey 5 FIPS Series can hold up to 25 resident keys.

See Locking FIDO2 Credentials.

FIDO2 (WebAuthn) FIPS-approved Mode

For the YubiKey WebAuthn application to be in a FIPS approved mode of operation, set a WebAuthn PIN. By default, no WebAuthn PIN is set.

To set or change the WebAuthn PIN, use the ykman CLI with the following command:

ykman fido access change-pin -n<PIN>

where <PIN> is the WebAuthn PIN to be set. See Credentials and Permitted Values for PIN requirements.

FIDO U2F

FIDO U2F is an open standard that provides strong, phishing-resistant two-factor authentication for web services using public key cryptography. U2F does not require any special drivers or configuration to use, just a compatible web browser. The U2F application on the YubiKey can be associated with an unlimited number of U2F sites.

U2F with FIPS 140-2 Level 2

The YubiKey 5 U2F FIPS application cannot be used in FIPS 140-2 Level 2 mode. Instead of the U2F functionality, use the FIDO WebAuthn application. FIPS-certified services should not call the U2F functionality; nonetheless, disable the U2F function on the YubiKey to ensure it is not used.

To disable U2F over USB and NFC, use the commands:

ykman config usb -dU2F
ykman config nfc -dU2F

To ensure users cannot enable U2F, secure access to it with a management lock code. To set this code, use the command:

ykman config set-lock-code -n<lock code>

where <lock code> is a 16 byte (32 character) hex value.

Note

The lock code prevents anyone without it from changing the functions that are accessible over NFC or USB. The lock code cannot be recovered if lost. Losing the lock code makes the YubiKey permanently inaccessible.