YubiKey 5 FIPS Series Features
NIST classified the YubiKey 5 Series FIPS as “composite authenticators”. As such, no device in that series can be taken out of the FIPS-approved mode after initialization without zeroizing the function. This means that once the YubiKey is correctly configured, it remains in the correct configuration. As long as the crypto officer ensures that the YubiKey 5 Series FIPS devices are correctly configured at initialization, they remain in FIPS-approved mode. See Deploying the YubiKey 5 FIPS Series.
Initialization is a bit different depending on the FIPS version you are using. Each version requires more stringent initialization than the previous level. See FIPS 140-3 Changes, YubiKey 5 FIPS Series 140-2 Level 2 Changes and Configuration, or FIPS 140-2 Level 1 Configuration.
NIST Version Certification
The YubiKey 5 cryptographic module applies across YubiKey firmware versions.
- YubiKey 5 FIPS Series firmware version 5.7.4 is is certified as an authenticator under FIPS 140-3, Level 2.
- YubiKey 5 FIPS Series hardware with 5.4.3 and 5.4.2 firmware is certified as an authenticator under FIPS 140-2, both Level 1 and Level 2 (Physical Security Level 3).
The YubiKey 5 FIPS Series meets the highest authenticator assurance Level 3 (AAL3) of NIST SP800-63B guidance.
Note
- Effective May 22 2026, YubiKey 5 FIPS Series firmware 5.7.4 was NIST certified for FIPS 140-3.
- Effective May 2026, YubiKey 5 FIPS Series firmware 5.4.x NIST FIPS 140-2 certification moved to the Sunset List.
- Effective September 22, 2026, All NIST FIPS 140-2 certification will be moved to the Historical List.
Per NIST document FIPS 140-3 Transition Effort, YubiKey 5 FIPS Series certification is affected as follows:
- Existing deployments - No change. Authenticators certified under FIPS 140-2 can continue to be used in existing deployments after sunset.
- New deployments - FIPS 140-2 is being replaced by FIPS 140-3. New submissions must fulfill the FIPS 140-3 requirements. Authenticators deployed in new environments must have a valid certificate that is not expired. Auditors typically recommend that authenticators certified under FIPS 140-2 are not used in new deployments.
Supported Cryptographic Module Major Functions
The following table lists the FIPS cryptographic modules and protocols supported for the YubiKey 5 FIPS Series firmware versions.
| Function | Firmware Versions | ||
|---|---|---|---|
| 5.7.4 | 5.4.3 | 5.4.2 | |
| FIDO Universal 2nd Factor (U2F) (1) | |||
| FIDO2 WebAuthn | 140-3 | 140-2 | 140-2 |
| OATH OTP authentication (2) | 140-3 | 140-2 | 140-2 |
| One Time Password (Yubico OTP) | 140-2 | 140-2 | |
| OpenPGP (version 3.4) | 140-3 | 140-2 | |
| PIV-compatible smart card | 140-3 | 140-2 | 140-2 |
| SCP03 | 140-3 | 140-2 | 140-2 |
| SCP11 | 140-3 | ||
| YubiHSM Auth | 140-3 | 140-2 | |
Note
- Do not use U2F with FIPS. Instead use the FIDO2. U2F is disabled on FIPS 140-3 keys. Be sure to disable U2F on FIPS 140-2 keys. See U2F with FIPS.
- For Yubico OTP, YubiKeys are labeled, enabled, and usable on FIPS 140-3 devices. However, it is not certified as FIPS.
FIPS Form Factors
Form factor is set during manufacturing and returned as a one-byte value. Currently defined values for this are set out in the Form Factor table below:
Form Factor
|
YubiKey Value
|
Security Key
Value, FW 5.4+
|
FIPS YubiKey
Value, FW 5.4+
|
|---|---|---|---|
| UNDEFINED | 0x00 | N/A | N/A |
| NFC and USB-A * | 0x01 | 0x41 | 0x81 |
| Nano USB-A | 0x02 | N/A | 0x82 |
| NFC and USB-C * | 0x03 | 0x43 | 0x83 |
| Nano USB-C | 0x04 | N/A | 0x84 |
Lightning
and USB-C *
|
0x05 | N/A | x85 |
* Form factors also have space for adding to a keychain. See YubiKey 5 FIPS Series.
Credentials and Permitted Values
For FIPS 140-3 Level 2 and FIPS 140-2 Level 2, the table below lists the credentials required, allowed values, and credential owner for the supported applications.
Application
|
Credential
|
Credential
Owner
|
Permitted Values FIPS | |
|---|---|---|---|---|
140-3
|
140-2
|
|||
OATH
|
Authentication
Key
|
Crypto
Officer
|
14-64 byte HMAC SHA1,
SHA256 key
|
|
One Time
Password (OTP)
|
OTP Slot 1
OTP Slot 2
|
Crypto
Officer
|
6 byte
access codes
|
|
| OpenPGP | User Password
(PW1)
|
Authenticated
User
|
8-127 byte
PIN
|
6-127 byte
PIN
|
Admin Password
(PW3)
|
Crypto
Officer
|
8-127 byte
PIN
|
6-127 byte
PIN
|
|
| PIV Smart Card | Management Key | Crypto
Officer
|
AES-128,
AES-192,
AES-256
|
3-key TDES,
AES-128,192,
AES-256 key
|
| PUK | Authenticated
User
|
8 byte PIN
|
6-8 byte
PIN
|
|
| PIN | Authenticated
User
|
8 byte PIN
|
6-8 byte
PIN
|
|
| WebAuthn | PIN | Authenticated
User
|
8-63 byte
PIN
|
6-32 byte
PIN
|
The instructions for the individual applications are provided in the following topics:
- FIDO Configuration with FIPS (WebAuthn)
- OTP Configuration with FIPS
- OATH Configuration with FIPS
- OpenPGP
- PIV Configuration with FIPS
For more information on secure channel requirements from NIST, see NIST Special Publication 800-63-C and NIST Special Publication 800-63B.