Firmware Overview
YubiKey 5 Series
5.7 Firmware
The new 5.7. firmware for the YubiKey 5 Series has a number of new and improved features that are available for the first time on the multi-protocol YubiKey 5. The changes and additions are described in detail in 5.7 Firmware Specifics. In addition to the features that are directly accessible, there are a number of features that require partner support.
Note
Yubico periodically updates its firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware. Once programmed, YubiKeys cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey.
The firmware version on a YubiKey or a Security Key determines whether or not a feature or a capability is available to that device. The quickest and most convenient way to determine your device’s firmware version is to use either the Yubico Authenticator with its intuitive and easy-to-use (GUI) interface or ykman the lightweight command line (CLI) software package installable on many OSs.
The features, capabilities, and enhancements of the YubiKey 5 Series that are dependent on firmware version are listed below in the Firmware Capability Matrix.
YubiKey 5 FIPS Series
5.7.4 Firmware
Yubico is releasing a new firmware version, 5.7.4, for the submission to CMVP for FIPS 140-3 validation. The same hardware - namely all the YubiKeys in the 5 FIPS Series - is being submitted for certification as FIPS 140-3 Overall Level 2 and Physical Level 3 (see YubiKey 5 FIPS Series under FIPS 140-3). Yubico’s aim in releasing this new firmware is to bring the new enterprise-focused features to users that require FIPS-certified authenticators.
Because the 5.7.4 firmware has not yet been evaluated by NIST these keys are not FIPS keys as such. (Once we submit to NIST’s Cryptographic Module Validation Program, customers are able to check the Modules In Process List list for updates on its progress through the program.) YubiKeys with our 5.7.4 firmware therefore have all the same functions as our FIPS keys, which is why this firmware is listed in the YubiKey 5 FIPS Series Cryptographic Module Major Functions table below, even though it is not formally certified as FIPS and not yet acceptable in a FIPS environment.
The new features in 5.7.4 are:
- Enterprise Attestation to support use cases such as derived FIDO credentials
- FIDO2, PIV and OpenPGP minimum PIN length is now 8
- PIN complexity is on by default to adhere to NIST Special Publication 800-63B (and 800-63B-4)
Larger keys sizes provide better protection than smaller key sizes until Post-Quantum-Cryptography is mature.
The FIPS 140-3 requirements are very different from those of FIPS 140-2. For a detailed description of those requirements, see YubiKey 5 FIPS Series under FIPS 140-3.
5.6 and 5.7 Firmware Prior to 5.7.4
The new 5.7. firmware for the YubiKey 5 Series has a number of new and improved features that are available for the first time on the multi-protocol YubiKey 5. The changes and additions are described in detail in 5.7 Firmware Specifics. In addition to the features that are directly accessible, there are a number of features that require partner support.
Note
Yubico periodically updates its firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware. Once programmed, YubiKeys cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey.
The firmware version on a YubiKey or a Security Key determines whether or not a feature or a capability is available to that device. The quickest and most convenient way to determine your device’s firmware version is to use either the Yubico Authenticator with its intuitive and easy-to-use (GUI) interface or ykman the lightweight command line (CLI) software package installable on many OSs.
The features, capabilities, and enhancements of the YubiKey 5 Series that are dependent on firmware version are listed in the Firmware Capability Matrix. An example of a feature made available by firmware is the NFC function with firmware 5.7 not being activated until the YubiKey is plugged into a device. Plugging it in activates the NFC function. For more detail on this specific feature, see Restricted NFC.
Firmware Capability Matrices
YubiKey 5 Series
| Feature/Form Factor | Firmware Versions | |||||
|---|---|---|---|---|---|---|
| 5.7.x | 5.5.x | 5.4.x | 5.3.x | 5.2.x | 5.0.x | |
| Serial Number | Yes | Yes | Yes | Yes | Yes | Yes |
| OTP | Yes | Yes | Yes | Yes | Yes | Yes |
| OATH | Yes | Yes | Yes | Yes | Yes | Yes |
OATH Credential
Storage
|
64 | 32 | 32 | 32 | 32 | 32 |
| OpenPGP version | 3.4 | 3.4 | 3.4 | 3.4 | 2.1 | 2.1 |
| PIV/Smart Card | Yes | Yes | Yes | Yes | Yes | Yes |
| FIDO U2F | Yes | Yes | Yes | Yes | Yes | Yes |
| FIDO2/WebAuthn | Yes | Yes | Yes | Yes | Yes | Yes |
FIDO2 Credential
Storage
|
100 | 25 | 25 | 25 | 25 | 25 |
| FIDO2 PIN Mgmt | Yes | |||||
Enterprise
Attestation
|
Yes | |||||
| Blob Storage | Yes | |||||
| AlwaysUV | Yes | |||||
| YubiHSM Auth | Yes | Yes | ||||
| SCP03 | Yes | Yes | Yes | |||
| SCP11 | 5.7.4+ | |||||
| USB-A | Yes | Yes | Yes | Yes | Yes | Yes |
| USB-A + NFC | Yes | Yes | Yes | Yes | Yes | Yes |
| USB-C | Yes | Yes | Yes | Yes | Yes | Yes |
| USB-C + NFC | Yes | Yes | Yes | Yes | Yes | |
| USB-A Nano | Yes | Yes | Yes | Yes | Yes | Yes |
| USB-C Nano | Yes | Yes | Yes | Yes | Yes | Yes |
| Lightning + USB-C | Yes | Yes | Yes | Yes | ||
YubiKey 5 FIPS Series
| Feature/Form Factor | Firmware Versions | ||
|---|---|---|---|
| 5.7.4 | 5.4.3 | 5.4.2 | |
| Serial Number | Yes | Yes | Yes |
| OTP | Yes | Yes | Yes |
| OATH | Yes | Yes | Yes |
OATH Credential
Storage
|
|||
| OpenPGP version | Yes | 3.4 | |
| PIV/Smart Card | Yes | Yes | Yes |
| FIDO U2F | Yes | Yes | Yes |
| FIDO2/WebAuthn | Yes | Yes | Yes |
FIDO2 Credential
Storage
|
100 | 25 | 25 |
| FIDO2 PIN Mgmt | |||
Enterprise
Attestation
|
|||
| Blob Storage | |||
| AlwaysUV | |||
| YubiHSM Auth | Yes | Yes | |
| SCP03 | Yes | Yes | Yes |
| SCP11 | Yes | ||
| USB-A | Yes | Yes | Yes |
| USB-A + NFC | Yes | Yes | Yes |
| USB-C | Yes | Yes | Yes |
| USB-C + NFC | Yes | Yes | Yes |
| USB-A Nano | Yes | Yes | Yes |
| USB-C Nano | Yes | Yes | Yes |
| Lightning + USB-C | Yes | Yes | Yes |
YubiKey 5 CSPN Series
| Feature/Form Factor | Firmware Version 5.4.2 |
|---|---|
| Serial Number | Yes |
| OTP | Yes |
| OATH | Yes |
OATH Credential
Storage
|
|
| OpenPGP version | |
| PIV/Smart Card | Yes |
| FIDO U2F | Yes |
| FIDO2/WebAuthn | Yes |
FIDO2 Credential
Storage
|
|
| FIDO2 PIN Mgmt | |
Enterprise
Attestation
|
|
| Blob Storage | |
| AlwaysUV | |
| YubiHSM Auth | |
| SCP03 | Yes |
| SCP11 | |
| USB-A | Yes |
| USB-A + NFC | Yes |
| USB-C | Yes |
| USB-C + NFC | Yes |
| USB-A Nano | Yes |
| USB-C Nano | Yes |
| Lightning + USB-C | Yes |
YubiKey 5 Series - Enhanced PIN
| Feature/Form Factor | Firmware Version 5.7.4 |
|---|---|
| Serial Number | Yes |
| OTP | Yes |
| OATH | Yes |
OATH Credential
Storage
|
64 |
| OpenPGP version | 3.4 |
| PIV/Smart Card | Yes |
| FIDO U2F | Yes |
| FIDO2/WebAuthn | Yes |
FIDO2 Credential
Storage
|
100 |
| FIDO2 PIN Mgmt | Yes |
Enterprise
Attestation
|
Yes |
| Blob Storage | Yes |
| AlwaysUV | Yes |
| YubiHSM Auth | |
| SCP03 | Yes |
| SCP11 | Yes |
| USB-A | |
| USB-A + NFC | Yes |
| USB-C | |
| USB-C + NFC | Yes |
| USB-A Nano | |
| USB-C Nano | |
| Lightning + USB-C |
YubiKey Bio Series
| Feature/Form Factor | Firmware Versions | ||
|---|---|---|---|
| 5.7.x | 5.6.x | 5.5.x | |
| Serial Number | Yes | Yes | Yes |
| OTP | |||
| OATH | |||
OATH Credential
Storage
|
|||
| OpenPGP version | |||
| PIV/Smart Card | Yes | ||
| FIDO U2F | Yes | Yes | Yes |
| FIDO2/WebAuthn | Yes | Yes | Yes |
FIDO2 Credential
Storage
|
100 | 25 | 25 |
| FIDO2 PIN Mgmt | |||
Enterprise
Attestation
|
|||
| Blob Storage | |||
| AlwaysUV | |||
| YubiHSM Auth | |||
| SCP03 | Yes | Yes | |
| SCP11 | 5.7.2+ | ||
| USB-A | Yes | Yes | Yes |
| USB-A + NFC | |||
| USB-C | Yes | Yes | Yes |
| USB-C + NFC | |||
| USB-A Nano | |||
| USB-C Nano | |||
| Lightning + USB-C | |||
- SCP03 and SCP11 Support
- SCP03 and SCP11 is only available on the YubiKey Bio Multi-protocol Edition.
- PIV Support
- Smart Card/PIV is only available on the YubiKey Bio Multi-protocol Edition.
Security Key Series
Features and
Form Factors
|
Firmware Versions | ||||
|---|---|---|---|---|---|
5.7.x
Enterprise Ed.
|
5.7.x
|
5.4.x
Enterprise Ed.
|
5.4.x
|
5.0.x - 5.2.x
|
|
| Serial Number | Yes | Yes | |||
| OTP | |||||
| OATH | |||||
OATH Credential
Storage
|
|||||
| OpenPGP version | |||||
| PIV/Smart Card | |||||
| FIDO U2F | Yes | Yes | Yes | Yes | Yes |
| FIDO2/WebAuthn | Yes | Yes | Yes | Yes | Yes |
FIDO2 Credential
Storage
|
100 | 100 | 25 | 25 | 25 |
| FIDO2 PIN Mgmt | Yes | Yes | |||
Enterprise
Attestation
|
Yes | ||||
| Blob Storage | Yes | Yes | |||
| Always UV | Yes | Yes | |||
| YubiHSM Auth | |||||
| SCP03 | Yes | ||||
| SCP11 | 5.7.4+ | ||||
| USB-A | Yes | ||||
| USB-A + NFC | Yes | Yes | Yes | Yes | Yes |
| USB-C | |||||
| USB-C + NFC | Yes | Yes | Yes | Yes | |
| USB-A Nano | |||||
| USB-C Nano | |||||
| Lightning + USB-C | |||||
- SCP03 Support
- SCP03 is only available on the Security Key Series Enterprise Edition.
Click for Yubico Support.