Note: This article covers deployment considerations for the YubiKey FIPS (4 Series). If you're looking for deployment considerations for the YubiKey 5 FIPS Series, refer to this document.
Introduction
Deploying the YubiKey FIPS (Federal Information Processing Standard) Series offers organizations the option of using any of the multiple protocols on the YubiKey for strong authentication. Because not all issues can be resolved by a single authentication protocol, the YubiKey FIPS Series includes PIV, OATH, YubiOTP, and FIDO U2F protocols to address a wide range of scenarios. The FIPS guidelines and requirements are designed to ensure that in a secured environment, only devices in the FIPS-approved mode are able to authenticate. To meet FIPS requirements, corporate IT staff need to work closely with their compliance department to develop and implement strong processes. The FIPS-mandated Crypto Officer role must be incorporated into online services user registration steps that meet the needs of the organization’s security and business processes.
Audience
This document is intended for IT administrators, Crypto Officers, and compliance officers deploying FIPS Series YubiKeys in a FIPS-compliant environment. It sets out the deployment options available to individual end users and to organization admins.
The document provides guidance on the key decisions to be made when deploying YubiKeys in a FIPS-compliant environment. This document does not list the steps for technical implementation; instead, it provides links to the appropriate deployment guides. For more detailed information pertaining to FIPS YubiKeys, please review the YubiKey FIPS Series Technical Manual.
Deployment in a FIPS-Compliant Environment
Yubico’s YubiKey FIPS series presents the first multiprotocol FIPS 140-2 validated security keys. These YubiKeys meet the cryptographic requirements of the NIST (National Institute of Standards and Technology) FIPS 140-2 specifications.
These keys enable strong authentication and thus greater security across multiple sites and services. To take advantage of all the protocols on the YubiKey FIPS series, it is important to understand how they fit within a FIPS-compliant environment. To be FIPS-compliant, an organization first defines its operational processes and then applies the technology so as to align with those processes.
A FIPS compliant environment requires that the role of granting permission be distinct and separate from the role of using those permissions. In order to maintain that separation, FIPS mandates that a Crypto Officer perform all registration and enrollment activities for a user.
FIPS-Approved Mode Default Setting
Many organizations choose to buy YubiKey FIPS series because the hardware has been certified to enable them to achieve compliance and meet the highest levels of authentication assurance (physical level 3). Tooling and deployment approaches often differ; for example, some customers may require a default U2F sub-module Admin PIN to prevent unauthorized U2F registration, while others may not. Since each customer deployment differs, FIPS mode is not enabled by default on FIPS Series YubiKeys.
In a FIPS mode of operation, every sub-module (OTP, OATH, OpenPGP, PIV and U2F) of a FIPS YubiKey must be individually placed in FIPS mode so that the capability to load or generate authentication secrets requires a PIN. Some sub-modules, such as the U2F sub-module, do not ship with a pre-defined PIN. The organization implementing FIPS YubiKeys must therefore supply the PIN as part of their initialization process. By contrast, other submodules like the YubiKey FIPS PIV are always in a FIPS-approved mode, since the Management Key, PIN and PUK are never undefined. The YubiKey FIPS Series Technical Manual provides guidance on configuring each sub-module. Yubico can provide custom configuration to improve the process. Please work with your sales representative if your organization has custom configuration needs.
Note: Resetting the U2F sub-module of the YubiKey permanently invalidates FIPS compliance for the YubiKey overall since FIPS mode for the U2F sub-module cannot be enabled after the reset. Resetting the U2F sub-module should be limited to the decommissioning process only.
The OpenPGP and PIV sub-modules on the FIPS YubiKey come with authentication codes set by default for elevated permissions, and are considered to be in a FIPS-compatible mode out of the box. To be considered to be in the FIPS-compatible mode, the OTP, OATH and U2F sub-modules must have their elevated permissions protected with authentication codes during the initialization process. It is important to note that setting the Admin PIN on the U2F sub-module will prevent registration of new U2F sites without the PIN being provided, but it is not required for authentication. Once the OATH Admin PIN is set, the OATH sub-module will require it to be provided to display the OATH codes stored within, and/or add new ones.
The table below lists the sub-modules, their respective FIPS mode defaults, and their respective Crypto Officer roles.
Sub-Module |
Default FIPS Mode |
Crypto Officer Role |
PIV |
Set |
Manage Management key, Register new Credential(s), define PIN retries |
OpenPGP |
Set |
Manage Admin password, Register new Credential(s), define PIN retries |
OATH |
Not Set |
Set Authorization Password, Register new Credential(s) |
OTP |
Not Set |
Set Admin PIN, Register new Credential(s) |
U2F |
Not Set |
Set Admin PIN, Register new Credential(s) |
Registration and Enrollment
It is important to note that once a key is in FIPS mode, the Crypto Officer must unlock the sub-module before registration can occur. For customers who are familiar with self-service registration flows, the introduction of the Crypto Officer role needs to be clearly communicated within the organization. If your organization needs to access a number of sites that do not require FIPS keys, then the case can be made for providing users with both a FIPS key and a non-FIPS key. This way end users can register themselves to sites without involving the Crypto Officer and thereby reduce operational overhead. For registration on the YubiKey FIPS series, there are a couple of approaches. The options listed below range from less restrictive to more restrictive. Work with your compliance team to determine the option that best meets your needs.
Option 1 - Enable FIPS-Approved Mode After Registration
In this option, the end user is able to register the YubiKey with services. Once the end user completes their registrations, the Crypto Officer sets the sub-module’s Admin PIN or passwords and locks the YubiKey. No further registrations can be performed unless the Crypto Officer unlocks the particular sub-module on the particular key.
Option 2 - Enable FIPS-Approved Mode Prior to Registration
In this option, the YubiKey is in FIPS-approved mode from the beginning. The Crypto Officer locks the sub-modules and registers the YubiKey with the various relying parties that the user needs to access. Once the Admin PIN and/or password is set, if registration to new sites/services is required, the Crypto Officer needs to unlock the sub-module. Depending on the service, in order to properly bind the key to the user’s account, the Crypto Officer might need to have the user log into the site on a secured enrollment station prior to registering the YubiKey. Once all services are registered, the Crypto Officer will lock any unlocked sub-modules and return the key to the user who should then validate that access was set up properly.
For both Option 1 and Option 2, after the initial registration, if the user wants to register their device to a new service, they would engage the Crypto Officer to unlock the YubiKey and register the YubiKey to the new service. Neither option is in itself preferable over the other; the preferred approach is determined by your needs. It is important to consult your compliance team before making a decision on which option is appropriate for your organization.
Authentication
Authentication for most of the protocols functions the same whether the YubiKey is in FIPS-approved mode or not. The Crypto Officer is only involved in the registration process. If the key is in FIPS-approved mode, it only needs to be unlocked for registration. It is not used for authentication.
The OATH sub-module requires the Crypto Officer to be involved with the authentication process; the OATH sub-module must be unlocked by the Crypto Officer. Work with your compliance team to determine the option that best meets your needs for OATH-based authentication.
Identifying FIPS YubiKeys
The FIPS YubiKeys have “FIPS” printed on the back of the keys for easy identification. The YubiKey Manager Command Line Interface (CLI) tool can also be used to identify FIPS keys. Using the command “ykman fido info”, you can identify the FIPS key and see if FIPS mode is enabled. The YubiKey manager CLI can be downloaded for Windows, Linux, and macOS at https://www.yubico.com/products/services-software/download/yubikey-manager/. Specific FIPS command instructions can be found in the YubiKey FIPS (4 Series) Technical Manual.
The FIDO U2F attestation certificate identifies the security key as an official Yubico product. Attestation is only evaluated during a registration flow and not during authentication. Furthermore, attestation can only identify YubiKey capabilities and not whether FIPS mode is enabled. The attestation certificate has limited device model information. Due to privacy concerns, the default settings for FIPS YubiKeys have no FIPS-related information. For these reasons, registering a YubiKey with a Crypto Officer becomes more important. Visit Yubico’s developer U2F attestation site for more information. Yubico can provide custom programming to meet customer attestation needs while maintaining compliance with the FIDO U2F standard. Please contact your Yubico representative for more information.