Firmware Overview

YubiKey 5 Series

5.7 Firmware

The new 5.7. firmware for the YubiKey 5 Series has a number of new and improved features that will be available for the first time on the multi-protocol YubiKey 5. The changes and additions are described in detail in 5.7 Firmware Specifics. In addition to the features that are directly accessible, there are a number of features that require partner support.

Note

Yubico periodically updates its firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware. Once programmed, YubiKeys cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey.

The firmware version on a YubiKey or a Security Key determines whether or not a feature or a capability is available to that device. The quickest and most convenient way to determine your device’s firmware version is to use either the Yubico Authenticator with its intuitive and easy-to-use interface or the ykman that is a lightweight software package installable on many OSs.

The features, capabilities, and enhancements of the YubiKey 5 Series that are dependent on firmware version are listed below in the Firmware Capability Matrix.

YubiKey 5 FIPS Series

5.7.4 Firmware

Yubico is releasing a new firmware version, 5.7.4, for the submission to CMVP for FIPS 140-3 validation. The same hardware - namely all the YubiKeys in the 5 FIPS Series - is being submitted for certification as FIPS 140-3 Overall Level 2 and Physical Level 3 (see YubiKey 5 FIPS Series under FIPS 140-3). Yubico’s aim in releasing this new firmware is to bring the new enterprise-focused features to users that require FIPS-certified authenticators.

Because the 5.7.4 firmware has not yet been evaluated by NIST these keys are not FIPS keys as such. (Once we submit to NIST’s Cryptographic Module Validation Program, customers will be able to check the Modules In Process List list for updates on its progress through the program.) YubiKeys with our 5.7.4 firmware will therefore have all the same functions as our FIPS keys, which is why this firmware is listed in the YubiKey 5 FIPS Series Cryptographic Module Major Functions table below, even though it is not formally certified as FIPS and not yet acceptable in a FIPS environment.

The new features in 5.7.4 are:

  • Enterprise Attestation to support use cases such as derived FIDO credentials
  • FIDO2, PIV and OpenPGP minimum PIN length is now 8
  • PIN complexity is on by default to adhere to NIST Special Publication 800-63B (and 800-63B-4)

Larger keys sizes will provide better protection than smaller key sizes until Post-Quantum-Cryptography is mature.

The FIPS 140-3 requirements are very different from those of FIPS 140-2. For a detailed description of those requirements, see YubiKey 5 FIPS Series under FIPS 140-3.

5.6 and 5.7 Firmware Prior to 5.7.4

The new 5.7. firmware for the YubiKey 5 Series has a number of new and improved features that will be available for the first time on the multi-protocol YubiKey 5. The changes and additions are described in detail in 5.7 Firmware Specifics. In addition to the features that are directly accessible, there are a number of features that require partner support.

Note

Yubico periodically updates its firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware. Once programmed, YubiKeys cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey.

The firmware version on a YubiKey or a Security Key determines whether or not a feature or a capability is available to that device. The quickest and most convenient way to determine your device’s firmware version is to use either the Yubico Authenticator with its intuitive and easy-to-use interface or the ykman that is a lightweight software package installable on many OSs.

The features, capabilities, and enhancements of the YubiKey 5 Series that are dependent on firmware version are listed in the Firmware Capability Matrix. An example of a feature made available by firmware is the NFC function with firmware 5.7 not being activated until the YubiKey is plugged into a device. Plugging it in activates the NFC function. For more detail on this specific feature, see Restricted NFC.


Security Key Series

The Security Key Series - including Enterprise Edition - will be updated with the latest firmware, including the updates from FIDO listed above. The Enterprise Edition will have the following additional updates:

  • Minimum PIN length set to 6
  • PIN Complexity turned on by default (and cannot be turned off)
  • Serial number retrievable by client software in Windows without requiring elevated privileges (admin rights) since the YubiKey management application is accessible via CCID, which enables use cases where client software needs to read the serial number of the authenticator.

Firmware Capability Matrices

YubiKey 5 Series

Features and Form Factors Available per Firmware Version
Feature/Form Factor Firmware Versions
5.0.x 5.1.x 5.2.x 5.3.x 5.4.x 5.7.x
Serial Number Yes Yes Yes Yes Yes Yes
OTP Yes Yes Yes Yes Yes Yes
OATH Yes Yes Yes Yes Yes Yes
OpenPGP version 2.1 2.1 3.4 3.4 3.4 3.4
PIV/Smart Card Yes Yes Yes Yes Yes Yes
FIDO U2F Yes Yes Yes Yes Yes Yes
FIDO2/WebAuthn Yes Yes Yes Yes Yes Yes
YubiHSM Auth         Yes Yes
SCP03       Yes Yes Yes
SCP11            
FIDO2 Credential
Storage
25 25 25 25 25 100
OATH Credential
Storage
32 32 32 32 32 64
USB-A Yes Yes Yes Yes Yes Yes
USB-A + NFC Yes Yes Yes Yes Yes Yes
USB-C Yes Yes Yes Yes Yes Yes
USB-C + NFC   Yes Yes Yes Yes Yes
USB-A Nano Yes Yes Yes Yes Yes Yes
USB-C Nano Yes Yes Yes Yes Yes Yes
Lightning + USB-C     Yes Yes Yes Yes

YubiKey 5 FIPS Series

Features and Form Factors Available per Firmware Version
Feature/Form Factor Firmware Versions
5.4.2 5.4.3 5.7.4
Serial Number Yes Yes Yes
OTP Yes Yes Yes
OATH Yes Yes Yes
OpenPGP version   3.4 Yes
PIV/Smart Card Yes Yes Yes
FIDO U2F Yes Yes Yes
FIDO2/WebAuthn Yes Yes Yes
FIDO2 Credential
Storage
25 25 100
YubiHSM Auth   Yes Yes
SCP03 Yes Yes Yes
SCP11     Yes
USB-A Yes Yes Yes
USB-A + NFC Yes Yes Yes
USB-C Yes Yes Yes
USB-C + NFC Yes Yes Yes
USB-A Nano Yes Yes Yes
USB-C Nano Yes Yes Yes
Lightning + USB-C Yes Yes Yes

YubiKey 5 CSPN Series

Features and Form Factors Available per Firmware Version
Feature/Form Factor Firmware Version 5.4.2
Serial Number Yes
OTP Yes
OATH Yes
OpenPGP version  
PIV/Smart Card Yes
FIDO U2F Yes
FIDO2/WebAuthn Yes
YubiHSM Auth  
SCP03 Yes
USB-A Yes
USB-A + NFC Yes
USB-C Yes
USB-C + NFC Yes
USB-A Nano Yes
USB-C Nano Yes
Lightning + USB-C Yes

YubiKey Bio Series

Features and Form Factors Available per Firmware Version
Feature/Form Factor Firmware Versions
5.5.x 5.6.x 5.7.x
Serial Number Yes Yes Yes
OTP      
OATH      
OpenPGP version      
PIV/Smart Card     Yes
FIDO U2F Yes Yes Yes
FIDO2/WebAuthn Yes Yes Yes
FIDO2 Credential
Storage
25 25 100
YubiHSM Auth      
SCP03   Yes Yes
SCP11     Yes
USB-A Yes Yes Yes
USB-A + NFC      
USB-C Yes Yes Yes
USB-C + NFC      
USB-A Nano      
USB-C Nano      
Lightning + USB-C      
SCP03 and SCP11 Support
SCP03 and SCP11 is only available on the YubiKey Bio Multi-protocol Edition.
PIV Support
Smart Card/PIV is only available on the YubiKey Bio Multi-protocol Edition.

Security Key Series

Features and Form Factors Available per Firmware Version
Feature/Form Factor Firmware Versions
5.0.x - 5.2.x 5.4.x 5.4.x Enterprise Ed. 5.7.x 5.7.x Enterprise Ed.
Serial Number     Yes   Yes
OTP          
OATH          
OpenPGP version          
PIV/Smart Card          
FIDO U2F Yes Yes Yes Yes Yes
FIDO2/WebAuthn Yes Yes Yes Yes Yes
FIDO2 Credential
Storage
25 25 25 100 100
YubiHSM Auth          
SCP03         Yes
FIDO2 PIN Mgmt*       Yes Yes
Enterprise
Attestation
        Yes
Blob Storage       Yes Yes
Always UV       Yes Yes
USB-A Yes        
USB-A + NFC Yes Yes Yes Yes Yes
USB-C          
USB-C + NFC   Yes Yes Yes Yes
USB-A Nano          
USB-C Nano          
Lightning + USB-C          
SCP03 Support
SCP03 is only available on the Security Key Series Enterprise Edition.

Click for Yubico Support.