YubiKey (4) FIPS Series end of sale and movement to CMVP Historical Validation List

Yubico Team

Yubico Team

2 minute read

Earlier this year, Yubico introduced the YubiKey 5 FIPS Series. This new line-up of FIPS 140-2 validated YubiKeys enables government agencies and regulated industries to meet the highest authenticator assurance level 3 (AAL3) requirements from the new National Institute of Standards and Technology (NIST) SP800-63B guidance.

Our previous YubiKey (4) FIPS Series which we introduced in June of 2018, was built on the YubiKey 4 Series, and were the first multi-protocol authentication security keys to receive this validation. As cryptographic modules and guidance have revisions, the YubiKey (4) FIPS Series will be moved to the CMVP Historical Validation List on July 1, 2022 based on the Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program. Additionally, Yubico will no longer sell the YubiKey (4) FIPS Series after December 31, 2021, only the YubiKey 5 FIPS Series will be available after this date.

This does not mean that the overall FIPS-140 certificates for the YubiKey (4) FIPS Series have been revoked, rather it indicates that the certificates support functionality that does not align with the latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. Section D.8 of the Implementation Guidance calls out that only approved and allowed key agreement techniques can be used in an approved mode of operation after June 30, 2022. 

With the latest guidance from NIST, the YubiKey (4) FIPS Series’ current implementation of ECDH does not meet SP 800-56A Rev3 compliance requirements and will therefore be moved to the Historical List. Specifically, the PIV application when using the ECC algorithm for decryption is affected. 

  • Affected devices include YubiKey (4) FIPS, YubiKey (4) Nano FIPS, YubiKey (4) C FIPS and YubiKey (4) C Nano FIPS.  
  • Non affected devices include YubiKey 5 FIPS Series, YubiKey 5 Series, YubiKey 4 Series (non-FIPS) and Security Key Series.

Companies may make a risk determination on whether to continue using the modules on the Historical List based on their own assessment of where and how the module is used. For more technical details, please refer to our knowledge base article

Note, to help visually identify your YubiKeys, the back of the YubiKey 5 FIPS Series contains a v5 etching on the devices, which isn’t included in the YubiKey (4) FIPS Series. 

Talk to our teamTalk to our team

Share this article:
  • Securing the skies with YubiKeys: Insights on cyber resilience in the aviation industry and beyondIn an increasingly interconnected world, the landscape of cybersecurity is constantly evolving. Bad actors are becoming more sophisticated, leveraging tactics like phishing and ransomware to exploit human error and weak credentials. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises – especially those in high-stakes sectors like commercial […]Read morecyber resilienceEUmanufacturingQ&A
  • Future-proofing authentication: A look at the future of post-quantum cryptographyThe path from passwords to passkeys and beyond In a previous blog I talked about the end of passwords and the rise of passkeys, which promise stronger security and less frustration for both individuals and businesses. The global momentum behind passkeys represents one of the most exciting shifts in authentication history, but realizing their full […]Read more
  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet