OATH Configuration with FIPS

The YubiKey 5 FIPS OATH application can store up to 32 OATH credentials, either OATH-TOTP (time-based) or OATH-HOTP (counter-based), as defined in the OATH specification. These credentials are separate from those stored in the OTP application. They can only be accessed through the CCID channel.

When an OATH-HOTP credential is programmed, the OTP is generated using the standard RFC 4226 HOTP algorithm and the YubiKey automatically types the OTP. Optionally, the OTP can be prefixed by a public identity, conforming to the openauthentication.org Token Identifier Specification.

To manage the OATH credentials and read the OTPs generated by the YubiKey, requires the Yubico Authenticator. The Yubico Authenticator is supported on Windows, Linux, macOS, Android and iOS.

OATH FIPS-approved Mode with FIPS 140-2 Level 2

For an application to be in a FIPS-approved mode requires an Authentication Key that protects access to the YubiKey 5 FIPS Series OATH application. To get the permitted values for the following operation, see Credentials and Permitted Values.

The crypto officer can set the Authentication Key using the ykman CLI.

• Download and install the latest version of YubiKey Manager (ykman), from ykman Releases. For GUI access, we recommend you use the Yubico Authenticator. The YubiKey Manager GUI is end of life.
• YubiKey Manager (ykman) CLI Guide

To set an Authentication Key using the ykman CLI, use the command:

ykman oath access change -n <Authentication Key>

where <Authentication Key> is the Authentication Key to be set.