OTP Configuration with FIPS

The OTP application provides two programmable slots, each of which can hold one of the types of credentials listed below. A Yubico OTP credential is programmed to slot 1 during manufacturing.

1. Trigger the YubiKey to produce the credential in the first slot by briefly touching the metal contact of the YubiKey.
2. If a credential has been programmed to the second slot, trigger the YubiKey to produce it by touching the contact for 3 seconds.

Output is sent as a series of keystrokes from a virtual keyboard.

Yubico OTP

Yubico OTP is a strong authentication mechanism that is supported by all YubiKey 5 FIPS Series. Yubico OTP can be used as the second factor in a two-factor authentication (2FA) scheme or on its own, providing single-factor authentication.

The OTP generated by the YubiKey has two parts: the first 12 characters are the public identity that a validation server uses to link to a user, the remaining 32 characters are the unique passcode that is changed every time an OTP is generated.

The character representation of the Yubico OTP is designed to handle a variety of keyboard layouts. It is crucial that the same code is generated if a YubiKey is inserted into a German computer with a QWERTZ layout, a French one with an AZERTY layout, or a US one with a QWERTY layout. The Modified Hexadecimal (Modhex) coding, was invented by Yubico to use only specific characters to ensure that the YubiKey works with the maximum number of keyboard layouts. USB keyboards send their keystrokes through “scan codes” rather than actual characters. The device, where the YubiKey is connected, translates the scan codes into keystrokes.

OTP Deployment

The YubiKey 5 FIPS Series OTP application supports two independent OTP configurations, known as OTP slots. The OTP slots can be configured to output an OTP created with the Yubico OTP or OATH-HOTP algorithm, a HMAC-SHA1 hashed response to a provided challenge, or a static password. A short touch (1~3 seconds) on the gold contact triggers the output of OTP slot 1. A long touch (+3 seconds) triggers the output of OTP slot 2.

A 6-byte access code can be set on slot 1 and slot 2 independently. Once set, the OTP slot’s access code is required when modifying, overwriting, or deleting the configuration on the respective OTP slot. By default, the YubiKey is shipped without any access code.

OTP FIPS-approved Mode wwith FIPS 140-2 Level 2

Each OTP slot must be locked down with an access code for the YubiKey 5 FIPS Series OTP application to be in a FIPS-approved mode of operation. By default, no access codes is set for either slot.

• An access code must be applied to each OTP slot, either:
  • When writing a new configuration or
  • By updating an existing configuration in an OTP slot.
• An access code cannot be applied to an empty OTP slot.
• To secure an unused OTP slot, use a blank OTP configuration with an access code.
• YubiKey 5 FIPS Series devices must either be deployed with
  • The OTP slots already set with an access code, or
  • An OTP application or service that configures the access code on both slots on enrollment.
• The OTP slot access codes must be archived so that only the crypto officer alone can access them. Access codes are required when resetting the OTP application.

Set Access Codes

The crypto officer can set an access code to the OTP slots using ykman, see ykman releases.

• Download and install the latest version of YubiKey Manager (ykman), from ykman Releases. For GUI access, we recommend you use the Yubico Authenticator. The YubiKey Manager GUI is end of life.
• YubiKey Manager (ykman) CLI Guide

To apply an access code to a configuration using the ykman CLI, include the flag --new-access-code=<access code> in the OTP configuration string. Use the command:

ykman otp settings --new-access-code=<access code> [OTP Slot]

where -

<access code> is the access code to be set.

For the characteristics of the access code, see Credentials and Permitted Values.

[OTP Slot] is either 1 or 2 corresponding to the OTP configuration being applied to OTP slot 1 or OTP slot 2.

For full details on setting an OTP configuration using the ykman CLI, see the ykman CLI and YubiKey Manager GUI Guide, OPT section.

To fill a blank OTP slot with a default configuration, use the command:

ykman otp chalresp --generate [OTP Slot]

where [OTP Slot] is either 1 or 2 corresponding to the OTP configuration being applied to OTP slot 1 or OTP slot 2.