YubiKey 5 NFC FIPS


5NFCFIPS.png

Note: This article lists the technical specifications of the YubiKey 5 NFC FIPS. If you're looking for deployment considerations, refer to this article. If you're looking for a usage guide, refer to this article.

 

The YubiKey 5 NFC FIPS is FIPS 140-2 certified (Overall Level 1 and Level 2, Physical Security Level 3) and based on the YubiKey 5 NFC. The YubiKey 5 NFC FIPS has five distinct applications, which are all independent of each other and can be used simultaneously. Note: The YubiKey 5 FIPS Series with initial firmware release version 5.4.2 does not support OpenPGP. Support for OpenPGP was added in firmware version 5.4.3

 

Not sure if you have a YubiKey 5 NFC FIPS or YubiKey FIPS (4 Series)? The YubiKey 5 NFC FIPS has v5 printed near the 2D barcode (see image above), but the YubiKey FIPS (4 Series) does not. Alternatively, YubiKey Manager can be used to check the model and firmware version.

 

Interface

The YubiKey 5 NFC FIPS uses a USB 2.0 interface as well as an NFC interface. All of the applications are available through both interfaces.

 

Applications

 

FIDO2

The FIDO2 application allows for secure single and multi-factor authentication, and can store up to 25 resident credentials. These credentials, which are protected by a PIN, enable passwordless login, where the YubiKey, unlocked by a PIN and authorized by touch, can log you in to your accounts without entering a username or password. The FIDO2 application is FIDO certified.

USB/NFC Interface: FIDO

More about FIDO 2

 

U2F

Note: The YubiKey 5 FIPS Series U2F application cannot be used in a FIPS 140-2 Level 2 mode. In place of the U2F functionality, use the FIDO WebAuthn application. For more information, refer to the YubiKey 5 FIPS Series Technical Manual.

The U2F application can hold an unlimited number of U2F credentials and is FIDO certified.

USB/NFC Interface: FIDO

 

OTP

The OTP application contains two programmable slots, each can hold one of the following credentials:

  • Yubico OTP
  • HMAC-SHA1 Challenge-Response
  • Static Password
  • OATH-HOTP

USB/NFC Interface: OTP

 

OATH

The YubiKey 5 FIPS Series can hold up to 32 OATH credentials and supports both OATH-TOTP (time based) and OATH-HOTP (counter based). Accessing this application requires Yubico Authenticator.

USB/NFC Interface: CCID

 

PIV (Smart Card)

This application provides a PIV-compatible smart card. On Windows, the smart card functionality can be enhanced with the YubiKey Smart Card Minidriver.

Default Values:

  • PIN: 123456
  • PUK: 12345678
  • Management Key (3DES): 010203040506070801020304050607080102030405060708

Supported Algorithms:

  • RSA 1024
  • RSA 2048
  • ECC P256
  • ECC P384

Slot Information:

  • Slot 9a: Authentication
  • Slot 9b: Management Key
  • Slot 9c: Digital Signature
  • Slot 9d: Key Management
  • Slot 9e: Card Authentication
  • Slot f9: Attestation
  • Slots 82-95: Retired Key Management

USB/NFC Interface: CCID

More info about PIV

 

OpenPGP

This application implements version 2.0 of the OpenPGP Smart Card specification which can be used with GnuPG. For key sizes over 2048 bits, GnuPG version 2.0 or higher is required. Note: The YubiKey 5 FIPS Series with initial firmware release version 5.4.2 does not support OpenPGP. Support for OpenPGP was added in firmware version 5.4.3.

 

Supported Algorithms:

 

  • RSA 1024
  • RSA 2048
  • RSA 3072
  • RSA 4096
  • secp256r1 
  • secp256k1 
  • secp384r1 
  • secp521r1 
  • brainpoolP256r1 
  • brainpoolP384r1 
  • brainpoolP512r1 
  • curve25519
    • x25519 (decipher only)
    • ed25519 (sign / auth only)

USB/NFC Interface: CCID

 

Physical Specifications

 

Form Factor

Connector: USB-A

Dimensions: 18mm x 45mm x 3.3mm

Weight: 3g

Physical Interfaces: USB, NFC

Temperatures

 

Operational range: 0 °C - 40 °C (32 °F - 104 °F)

Storage range: -20 °C - 85 °C (-4 °F - 185 °F)