YubiKey (4) FIPS Series end of sale and movement to CMVP Historical Validation List

September 8, 2021 2 minute read

Earlier this year, Yubico introduced the YubiKey 5 FIPS Series. This new line-up of FIPS 140-2 validated YubiKeys enables government agencies and regulated industries to meet the highest authenticator assurance level 3 (AAL3) requirements from the new National Institute of Standards and Technology (NIST) SP800-63B guidance.

Our previous YubiKey (4) FIPS Series which we introduced in June of 2018, was built on the YubiKey 4 Series, and were the first multi-protocol authentication security keys to receive this validation. As cryptographic modules and guidance have revisions, the YubiKey (4) FIPS Series will be moved to the CMVP Historical Validation List on July 1, 2022 based on the Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program. Additionally, Yubico will no longer sell the YubiKey (4) FIPS Series after December 31, 2021, only the YubiKey 5 FIPS Series will be available after this date.

This does not mean that the overall FIPS-140 certificates for the YubiKey (4) FIPS Series have been revoked, rather it indicates that the certificates support functionality that does not align with the latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. Section D.8 of the Implementation Guidance calls out that only approved and allowed key agreement techniques can be used in an approved mode of operation after June 30, 2022. 

With the latest guidance from NIST, the YubiKey (4) FIPS Series’ current implementation of ECDH does not meet SP 800-56A Rev3 compliance requirements and will therefore be moved to the Historical List. Specifically, the PIV application when using the ECC algorithm for decryption is affected. 

  • Affected devices include YubiKey (4) FIPS, YubiKey (4) Nano FIPS, YubiKey (4) C FIPS and YubiKey (4) C Nano FIPS.  
  • Non affected devices include YubiKey 5 FIPS Series, YubiKey 5 Series, YubiKey 4 Series (non-FIPS) and Security Key Series.

Companies may make a risk determination on whether to continue using the modules on the Historical List based on their own assessment of where and how the module is used. For more technical details, please refer to our knowledge base article

Note, to help visually identify your YubiKeys, the back of the YubiKey 5 FIPS Series contains a v5 etching on the devices, which isn’t included in the YubiKey (4) FIPS Series. 

Share this article:

Recommended content


Why Financial Services Shouldn’t Wait for Regulators to Address Strong Authentication

Financial institutions face some of the most stringent and complex regulatory requirements, including financial service compliance requirements around authentication. So much so that the financial service industry is broadly considered the gold standard from a compliance perspective. To comply with existing regulations and thwart cyber attacks, financial institutions were early adopters of two-factor authentication (2FA) ...


Yubico’s Secure It Forward program donates YubiKeys to populations that need them most

Since its inception in 2020, Yubico for Free Speech has not only celebrated moments in time with partner organizations but has also donated YubiKeys to over 45 organizations in 20 different countries – all of which was possible thanks to Yubico’s customers.   Yubico for Free Speech, a program where Yubico donates one YubiKey for every ...


Yubico continues to pioneer enterprise integrations with security keys

Today, we are excited to announce the general availability of the YubiKey SDK for Desktop that went into public beta in June 2021. It’s an exciting time for Yubico as we launch a key piece of our software portfolio that our enterprise customers and partners have been testing with us that is now ready for ...


Hybrid work driven by Covid-19 prompts a shift in financial services security priorities

All industries are dealing with the thorny issue of who comes back to work during the pandemic and who doesn’t, and the return-to-work plans will diverge depending on each enterprise’s needs and culture. But banks, financial institutions, and many other players in the financial services industry are paying close attention to the security perils of ...