YubiKey (4) FIPS Series end of sale and movement to CMVP Historical Validation List

September 8, 2021 2 minute read

Earlier this year, Yubico introduced the YubiKey 5 FIPS Series. This new line-up of FIPS 140-2 validated YubiKeys enables government agencies and regulated industries to meet the highest authenticator assurance level 3 (AAL3) requirements from the new National Institute of Standards and Technology (NIST) SP800-63B guidance.

Our previous YubiKey (4) FIPS Series which we introduced in June of 2018, was built on the YubiKey 4 Series, and were the first multi-protocol authentication security keys to receive this validation. As cryptographic modules and guidance have revisions, the YubiKey (4) FIPS Series will be moved to the CMVP Historical Validation List on July 1, 2022 based on the Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program. Additionally, Yubico will no longer sell the YubiKey (4) FIPS Series after December 31, 2021, only the YubiKey 5 FIPS Series will be available after this date.

This does not mean that the overall FIPS-140 certificates for the YubiKey (4) FIPS Series have been revoked, rather it indicates that the certificates support functionality that does not align with the latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. Section D.8 of the Implementation Guidance calls out that only approved and allowed key agreement techniques can be used in an approved mode of operation after June 30, 2022. 

With the latest guidance from NIST, the YubiKey (4) FIPS Series’ current implementation of ECDH does not meet SP 800-56A Rev3 compliance requirements and will therefore be moved to the Historical List. Specifically, the PIV application when using the ECC algorithm for decryption is affected. 

  • Affected devices include YubiKey (4) FIPS, YubiKey (4) Nano FIPS, YubiKey (4) C FIPS and YubiKey (4) C Nano FIPS.  
  • Non affected devices include YubiKey 5 FIPS Series, YubiKey 5 Series, YubiKey 4 Series (non-FIPS) and Security Key Series.

Companies may make a risk determination on whether to continue using the modules on the Historical List based on their own assessment of where and how the module is used. For more technical details, please refer to our knowledge base article

Note, to help visually identify your YubiKeys, the back of the YubiKey 5 FIPS Series contains a v5 etching on the devices, which isn’t included in the YubiKey (4) FIPS Series. 

Share this article:

Recommended content