YubiKey (4) FIPS Series end of sale and movement to CMVP Historical Validation List

Earlier this year, Yubico introduced the YubiKey 5 FIPS Series. This new line-up of FIPS 140-2 validated YubiKeys enables government agencies and regulated industries to meet the highest authenticator assurance level 3 (AAL3) requirements from the new National Institute of Standards and Technology (NIST) SP800-63B guidance.

Our previous YubiKey (4) FIPS Series which we introduced in June of 2018, was built on the YubiKey 4 Series, and were the first multi-protocol authentication security keys to receive this validation. As cryptographic modules and guidance have revisions, the YubiKey (4) FIPS Series will be moved to the CMVP Historical Validation List on July 1, 2022 based on the Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program. Additionally, Yubico will no longer sell the YubiKey (4) FIPS Series after December 31, 2021, only the YubiKey 5 FIPS Series will be available after this date.

This does not mean that the overall FIPS-140 certificates for the YubiKey (4) FIPS Series have been revoked, rather it indicates that the certificates support functionality that does not align with the latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. Section D.8 of the Implementation Guidance calls out that only approved and allowed key agreement techniques can be used in an approved mode of operation after June 30, 2022. 

With the latest guidance from NIST, the YubiKey (4) FIPS Series’ current implementation of ECDH does not meet SP 800-56A Rev3 compliance requirements and will therefore be moved to the Historical List. Specifically, the PIV application when using the ECC algorithm for decryption is affected. 

  • Affected devices include YubiKey (4) FIPS, YubiKey (4) Nano FIPS, YubiKey (4) C FIPS and YubiKey (4) C Nano FIPS.  
  • Non affected devices include YubiKey 5 FIPS Series, YubiKey 5 Series, YubiKey 4 Series (non-FIPS) and Security Key Series.

Companies may make a risk determination on whether to continue using the modules on the Historical List based on their own assessment of where and how the module is used. For more technical details, please refer to our knowledge base article

Note, to help visually identify your YubiKeys, the back of the YubiKey 5 FIPS Series contains a v5 etching on the devices, which isn’t included in the YubiKey (4) FIPS Series. 

Talk to our teamTalk to our team

Share this article:


  • Works with YubiKey Spotlight: Expanded partnerships redefining phishing-resistance in 20252024 was an exciting year for Yubico and our partners. Together, we achieved remarkable milestones, launching innovative solutions and forging stronger partnerships – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart of these efforts lies a shared commitment to phishing-resistance.  From registration to […]Read moreWorks with YubiKeywwyk
  • Cybersecurity in 2025 – part two: Insights and predictions from Yubico’s expertsIn part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our […]Read morecritical infrastructurefederal governmentfinancial servicespredictions
  • Cybersecurity in 2025: Insights and predictions from Yubico’s expertsWith 2024 behind us, we saw another challenging year in the world of cybersecurity – highlighted by new and evolving threats like Artificial Intelligence (AI)-driven phishing and increasingly sophisticated cyber attacks overall. Yubico’s September Global State of Authentication Survey confirmed the challenges, even underscoring the potential risks of these new threats. The report emphasized the […]Read moreAIdigital identity walletspasskeyspredictions
  • State of Global Authentic(age)ion: A look at cybersecurity habits by generationsNo generations were left untouched when it came to the threat of hackers in 2024: from the impact of political shakeups, to increasingly sophisticated cyber attacks targeting consumers, critical industries and infrastructures, the world was on high alert. Fueled by a dramatic increase in phishing attacks circumventing certain forms of legacy multi-factor authentication (MFA), as […]Read moreState of Global Authenticationsurvey