Firmware Overview
YubiKey 5 Series
5.7 Firmware
The new 5.7. firmware for the YubiKey 5 Series has a number of new and improved features that will be available for the first time on the multi-protocol YubiKey 5. The changes and additions are described in detail in 5.7 Firmware Specifics. In addition to the features that are directly accessible, there are a number of features that require partner support.
Note
Yubico periodically updates its firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware. Once programmed, YubiKeys cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey.
The firmware version on a YubiKey or a Security Key determines whether or not a feature or a capability is available to that device. The quickest and most convenient way to determine your device’s firmware version is to use either the Yubico Authenticator with its intuitive and easy-to-use interface or the ykman that is a lightweight software package installable on many OSs.
The features, capabilities, and enhancements of the YubiKey 5 Series that are dependent on firmware version are listed below in the Firmware Capability Matrix.
YubiKey 5 FIPS Series
5.7.4 Firmware
Yubico is releasing a new firmware version, 5.7.4, for the submission to CMVP for FIPS 140-3 validation. The same hardware - namely all the YubiKeys in the 5 FIPS Series - is being submitted for certification as FIPS 140-3 Overall Level 2 and Physical Level 3 (see YubiKey 5 FIPS Series under FIPS 140-3). Yubico’s aim in releasing this new firmware is to bring the new enterprise-focused features to users that require FIPS-certified authenticators.
Because the 5.7.4 firmware has not yet been evaluated by NIST these keys are not FIPS keys as such. (Once we submit to NIST’s Cryptographic Module Validation Program, customers will be able to check the Modules In Process List list for updates on its progress through the program.) YubiKeys with our 5.7.4 firmware will therefore have all the same functions as our FIPS keys, which is why this firmware is listed in the YubiKey 5 FIPS Series Cryptographic Module Major Functions table below, even though it is not formally certified as FIPS and not yet acceptable in a FIPS environment.
The new features in 5.7.4 are:
- Enterprise Attestation to support use cases such as derived FIDO credentials
- FIDO2, PIV and OpenPGP minimum PIN length is now 8
- PIN complexity is on by default to adhere to NIST Special Publication 800-63B (and 800-63B-4)
Larger keys sizes will provide better protection than smaller key sizes until Post-Quantum-Cryptography is mature.
The FIPS 140-3 requirements are very different from those of FIPS 140-2. For a detailed description of those requirements, see YubiKey 5 FIPS Series under FIPS 140-3.
5.6 and 5.7 Firmware Prior to 5.7.4
The new 5.7. firmware for the YubiKey 5 Series has a number of new and improved features that will be available for the first time on the multi-protocol YubiKey 5. The changes and additions are described in detail in 5.7 Firmware Specifics. In addition to the features that are directly accessible, there are a number of features that require partner support.
Note
Yubico periodically updates its firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware. Once programmed, YubiKeys cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey.
The firmware version on a YubiKey or a Security Key determines whether or not a feature or a capability is available to that device. The quickest and most convenient way to determine your device’s firmware version is to use either the Yubico Authenticator with its intuitive and easy-to-use interface or the ykman that is a lightweight software package installable on many OSs.
The features, capabilities, and enhancements of the YubiKey 5 Series that are dependent on firmware version are listed in the Firmware Capability Matrix. An example of a feature made available by firmware is the NFC function with firmware 5.7 not being activated until the YubiKey is plugged into a device. Plugging it in activates the NFC function. For more detail on this specific feature, see Restricted NFC.
Security Key Series
The Security Key Series - including Enterprise Edition - will be updated with the latest firmware, including the updates from FIDO listed above. The Enterprise Edition will have the following additional updates:
- Minimum PIN length set to 6
- PIN Complexity turned on by default (and cannot be turned off)
- Serial number retrievable by client software in Windows without requiring elevated privileges (admin rights) since the YubiKey management application is accessible via CCID, which enables use cases where client software needs to read the serial number of the authenticator.
Firmware Capability Matrices
YubiKey 5 Series
| Feature/Form Factor | Firmware Versions | |||||
|---|---|---|---|---|---|---|
| 5.0.x | 5.1.x | 5.2.x | 5.3.x | 5.4.x | 5.7.x | |
| Serial Number | Yes | Yes | Yes | Yes | Yes | Yes |
| OTP | Yes | Yes | Yes | Yes | Yes | Yes |
| OATH | Yes | Yes | Yes | Yes | Yes | Yes |
| OpenPGP version | 2.1 | 2.1 | 3.4 | 3.4 | 3.4 | 3.4 |
| PIV/Smart Card | Yes | Yes | Yes | Yes | Yes | Yes |
| FIDO U2F | Yes | Yes | Yes | Yes | Yes | Yes |
| FIDO2/WebAuthn | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiHSM Auth | Yes | Yes | ||||
| SCP03 | Yes | Yes | Yes | |||
| SCP11 | ||||||
FIDO2 Credential
Storage
|
25 | 25 | 25 | 25 | 25 | 100 |
OATH Credential
Storage
|
32 | 32 | 32 | 32 | 32 | 64 |
| USB-A | Yes | Yes | Yes | Yes | Yes | Yes |
| USB-A + NFC | Yes | Yes | Yes | Yes | Yes | Yes |
| USB-C | Yes | Yes | Yes | Yes | Yes | Yes |
| USB-C + NFC | Yes | Yes | Yes | Yes | Yes | |
| USB-A Nano | Yes | Yes | Yes | Yes | Yes | Yes |
| USB-C Nano | Yes | Yes | Yes | Yes | Yes | Yes |
| Lightning + USB-C | Yes | Yes | Yes | Yes | ||
YubiKey 5 FIPS Series
| Feature/Form Factor | Firmware Versions | ||
|---|---|---|---|
| 5.4.2 | 5.4.3 | 5.7.4 | |
| Serial Number | Yes | Yes | Yes |
| OTP | Yes | Yes | Yes |
| OATH | Yes | Yes | Yes |
| OpenPGP version | 3.4 | Yes | |
| PIV/Smart Card | Yes | Yes | Yes |
| FIDO U2F | Yes | Yes | Yes |
| FIDO2/WebAuthn | Yes | Yes | Yes |
FIDO2 Credential
Storage
|
25 | 25 | 100 |
| YubiHSM Auth | Yes | Yes | |
| SCP03 | Yes | Yes | Yes |
| SCP11 | Yes | ||
| USB-A | Yes | Yes | Yes |
| USB-A + NFC | Yes | Yes | Yes |
| USB-C | Yes | Yes | Yes |
| USB-C + NFC | Yes | Yes | Yes |
| USB-A Nano | Yes | Yes | Yes |
| USB-C Nano | Yes | Yes | Yes |
| Lightning + USB-C | Yes | Yes | Yes |
YubiKey 5 CSPN Series
| Feature/Form Factor | Firmware Version 5.4.2 |
|---|---|
| Serial Number | Yes |
| OTP | Yes |
| OATH | Yes |
| OpenPGP version | |
| PIV/Smart Card | Yes |
| FIDO U2F | Yes |
| FIDO2/WebAuthn | Yes |
| YubiHSM Auth | |
| SCP03 | Yes |
| USB-A | Yes |
| USB-A + NFC | Yes |
| USB-C | Yes |
| USB-C + NFC | Yes |
| USB-A Nano | Yes |
| USB-C Nano | Yes |
| Lightning + USB-C | Yes |
YubiKey Bio Series
| Feature/Form Factor | Firmware Versions | ||
|---|---|---|---|
| 5.5.x | 5.6.x | 5.7.x | |
| Serial Number | Yes | Yes | Yes |
| OTP | |||
| OATH | |||
| OpenPGP version | |||
| PIV/Smart Card | Yes | ||
| FIDO U2F | Yes | Yes | Yes |
| FIDO2/WebAuthn | Yes | Yes | Yes |
FIDO2 Credential
Storage
|
25 | 25 | 100 |
| YubiHSM Auth | |||
| SCP03 | Yes | Yes | |
| SCP11 | Yes | ||
| USB-A | Yes | Yes | Yes |
| USB-A + NFC | |||
| USB-C | Yes | Yes | Yes |
| USB-C + NFC | |||
| USB-A Nano | |||
| USB-C Nano | |||
| Lightning + USB-C | |||
- SCP03 and SCP11 Support
- SCP03 and SCP11 is only available on the YubiKey Bio Multi-protocol Edition.
- PIV Support
- Smart Card/PIV is only available on the YubiKey Bio Multi-protocol Edition.
Security Key Series
| Feature/Form Factor | Firmware Versions | ||||
|---|---|---|---|---|---|
| 5.0.x - 5.2.x | 5.4.x | 5.4.x Enterprise Ed. | 5.7.x | 5.7.x Enterprise Ed. | |
| Serial Number | Yes | Yes | |||
| OTP | |||||
| OATH | |||||
| OpenPGP version | |||||
| PIV/Smart Card | |||||
| FIDO U2F | Yes | Yes | Yes | Yes | Yes |
| FIDO2/WebAuthn | Yes | Yes | Yes | Yes | Yes |
FIDO2 Credential
Storage
|
25 | 25 | 25 | 100 | 100 |
| YubiHSM Auth | |||||
| SCP03 | Yes | ||||
| FIDO2 PIN Mgmt* | Yes | Yes | |||
Enterprise
Attestation
|
Yes | ||||
| Blob Storage | Yes | Yes | |||
| Always UV | Yes | Yes | |||
| USB-A | Yes | ||||
| USB-A + NFC | Yes | Yes | Yes | Yes | Yes |
| USB-C | |||||
| USB-C + NFC | Yes | Yes | Yes | Yes | |
| USB-A Nano | |||||
| USB-C Nano | |||||
| Lightning + USB-C | |||||
- SCP03 Support
- SCP03 is only available on the Security Key Series Enterprise Edition.
Click for Yubico Support.