YubiKey 5 FIPS Series Specifics
YubiKey 5 FIPS Series offers strong authentication with support for multiple protocols, including FIDO2, which is the new standard that enables the replacement of password-based authentication. The YubiKey strengthens security by replacing passwords with strong hardware-based authentication using public key cryptography.
The cryptographic functionality of the YubiKey 5 FIPS Series devices is powered by the YubiKey 5 cryptographic module, a single-chip cryptographic processor with a non-extractable key store that handles all of the cryptographic operations.
The YubiKey 5 FIPS Series cryptographic module is a security feature that supports multiple protocols designed to be embedded in USB security tokens. The module can generate, store, and perform cryptographic operations for sensitive data. It is accessed through an external touch-button for Test of User Presence in addition to PIN for smart card authentication. The module implements the following major functions, depending on the firmware version on the YubiKey.
NIST classified the YubiKey 5 Series FIPS as “composite authenticators”. As such, no device in that series can be taken out of the FIPS-approved mode after initialization without zeroizing the function. This means that once the YubiKey is correctly configured, it remains in the correct configuration. This is what renders the --check-fips command unnecessary. As long as the crypto officer ensures that the YubiKey 5 Series FIPS devices are correctly configured at initialization, they remain in FIPS-approved mode.
NIST Version Certification
The YubiKey 5 cryptographic module is FIPS 140-2 certified, both Level 1 and Level 2 (Physical Security Level 3) and in certification process for FIPS 140-3.
Per NIST document FIPS 140-3 Transition Effort, YubiKey 5 FIPS Series certification is affected:
The YubiKey 5 FIPS Series hardware with the 5.4 firmware is certified as an authenticator under both FIPS 140-2 Level 1 and Level 2. It meets the highest authenticator assurance level 3 (AAL3) of NIST SP800-63B guidance. To use security keys from the YubiKey 5 FIPS Series as a Level 2, more stringent initialization is required than for Level 1. Guidance for Level 2 is detailed in FIPS 140-2 Level 2 Changes and Configuration. Guidance for Level 3 is set out in FIPS 140-3 Changes.
Effective September 22, 2026, this certification will be moved to the Historical List.
FIPS 140-3 certification based on YubiKey 5 FIPS Series firmware version 5.7.4 is in coordination phase. YubiKey 5 FIPS Series is not yet certified FIPS 140-3, but it shares the cryptographic module major functions.
YubiKey 5 Firmware Support for Cryptographic Module Major Functions
The following table lists the FIPS cryptographic modules and protocols supported with the YubiKey 5 firmware versions.
| Function | Firmware Versions | ||
|---|---|---|---|
| 5.7.4 | 5.4.3 | 5.4.2 | |
| FIDO Universal 2nd Factor (U2F) | |||
| FIDO2 WebAuthn | 140-3 | 140-2 | 140-2 |
| OATH OTP authentication | 140-3 | 140-2 | 140-2 |
| One Time Password (Yubico OTP) | 140-3 | 140-2 | 140-2 |
| OpenPGP (version 3.4) | 140-3 | 140-2 | |
| PIV-compatible smart card | 140-3 | 140-2 | 140-2 |
| SCP03 | 140-3 | 140-2 | 140-2 |
| SCP11 | 140-3 | ||
| YubiHSM Auth | 140-3 | 140-2 | |
FIDO Authenticator Supported Certifications
The certifications that are supported by a FIDO authenticator can be returned in the certifications member of an authenticatorGetInfo response as set out in paragraph 7.3.1. Authenticator Actions of the Client to Authenticator Protocol (CTAP) Review Draft of March 09, 2021.
FIPS AAGUID and Form Factors
Form factor is set during manufacturing and returned as a one-byte value. Currently defined values for this are set out in the Form Factor table below:
Form Factor
|
YubiKey Value
|
Security Key
Value, FW 5.4+
|
FIPS YubiKey
Value, FW 5.4+
|
|---|---|---|---|
| UNDEFINED | 0x00 | N/A | N/A |
| Keychain, USB-A | 0x01 | 0x41 | 0x81 |
| Nano, USB-A | 0x02 | N/A | 0x82 |
| Keychain, USB-C | 0x03 | 0x43 | 0x83 |
| Nano, USB-C | 0x04 | N/A | 0x84 |
Keychain with
Lightning, USB-C
|
0x05 | N/A | x85 |
Credentials and Permitted Values
The table below lists the credentials required, allowed values, and credential owner for the supported applications as of FIPS 140-2 Level 2.
| Application | Credential | Permitted Values | Credential
Owner
|
|---|---|---|---|
| OATH | Authentication
Key
|
14-64 byte HMAC
SHA1/SHA256 key
|
Crypto Officer |
One Time Password
(OTP)
|
Access Code:
OTP Slot 1
OTP Slot 2
|
6 byte access codes
6 byte access codes
|
Crypto Officer |
| OpenPGP | User Password
(PW1)
|
6-127 byte PIN | Authenticated
User
|
Admin Password
(PW3)
|
8-127 byte PIN | Crypto Officer | |
| PIV Smart Card | Management Key | 3-key TDES key | Crypto Officer |
| PUK | 6-8 byte PIN | Crypto Officer | |
| PIN | 6-8 byte PIN | Authenticated
User
|
|
| WebAuthn | PIN | 6 to 32 byte PIN | Authenticated
User
|
The instructions for the individual applications are provided in the following topics:
- FIDO Configuration with FIPS (WebAuthn)
- OTP Configuration with FIPS
- OATH Configuration with FIPS
- OpenPGP
- PIV Configuration with FIPS
For more information on secure channel requirements from NIST, see NIST SP 800-63-C and NIST SP 800-63B.