OATH Configuration with FIPS

The YubiKey 5 FIPS OATH application can store up to 64 OATH credentials for FIPS 140-3 and 32 OATH credentials for FIPS 140-2, either OATH-TOTP (time-based) or OATH-HOTP (counter-based), as defined in the OATH specification. These credentials are separate from those stored in the OTP application. They can only be accessed through the CCID channel.

When an OATH-HOTP credential is programmed, the OTP is generated using the standard RFC 4226 HOTP algorithm and the YubiKey automatically types the OTP. Optionally, the OTP can be prefixed by a public identity, conforming to the openauthentication.org Token Identifier Specification.

To manage the OATH credentials and read the OTPs generated by the YubiKey, requires the Yubico Authenticator. The Yubico Authenticator is supported on Windows, Linux, macOS, Android and iOS.

See also, OATH.

OATH FIPS-approved Mode

This OATH FIPS approved mode supported for both FIPS 140-3 and FIPS 140-2.

For an application to be in a FIPS-approved mode requires an Authentication Key that protects access to the YubiKey 5 FIPS Series OATH application. To get the permitted values for the following operation, see Credentials and Permitted Values.

The crypto officer can set the Authentication Key using the ykman CLI.

• Download and install the latest version of YubiKey Manager (ykman), from ykman Releases.

• Reference the YubiKey Manager (ykman) CLI Guide.

  For GUI access, we recommend you use the Yubico Authenticator. The YubiKey Manager GUI is end of life.

To set an Authentication Key using the ykman CLI, use the command:

ykman oath access change -n <Authentication Key>

where <Authentication Key> is the Authentication Key to be set.