With the growing threat of Generative and Agentic AI, where phishing and other sophisticated attacks have become faster and more targeted than ever before, federal agencies and regulated industries need to protect all of their users to reduce breach exposure. Yubico is committed to helping organizations raise the bar for identity assurance and ensure cyber resilient environments. Today, we’re excited to introduce the next generation of the YubiKey 5 FIPS Series — now officially FIPS 140-3 validated with Certificate #5291.
Yubico has a large number of customers that rely on our YubiKey 5 FIPS Series keys to keep their organizations secure from increasingly sophisticated phishing attacks, as well as stay compliant to the latest government and industry regulations. This now enables organizations to meet strict compliance requirements with the highest authenticator assurance level 3 (AAL3) requirements from the NIST SP800-63B guidance.
To provide more context on this milestone and what it means for the public sector, we sat down with Jeff Frederick, Yubico’s Sr. Director, Solutions Engineering, Federal, to break down the key questions surrounding the new standard – including important information organizations need to know.
For more information on the new key, visit the press release here. Contact your Yubico representative or the Yubico sales team for any questions on getting access to the YubiKey 5 FIPS Series keys for your organization.
What is the impact of FIPS 140-3 for government agencies?
For U.S. federal agencies, defense organizations and government contractors, transitioning to FIPS 140-3 validated devices is a foundational requirement to maintain compliance and security assurance moving forward.
Beyond compliance, FIPS 140-3 acts as a catalyst for unified global security. The new framework aligns closely with the international ISO/IEC 19790:2012 cryptographic standard. This helps agencies establish a consistent, modern security baseline across global operations. Paired with federal mandates that require phishing-resistant multi-factor authentication (MFA) to meet Zero Trust architectures, FIPS 140-3 validated keys ensure agencies can meet the highest AAL3 requirements set by NIST.
What happens to FIPS 140-2 devices once 140-3 is released?
They will not disappear overnight. The transition to FIPS 140-3 began in 2019, and 140-2 devices with active certs are still compliant today. Nothing changes operationally for hardware that’s already deployed and validated.
What is the difference between FIPS 140-2 vs. 140-3?
FIPS 140-3 introduces significantly enhanced cryptographic protections and hardware-enforced compliance compared to its predecessor. The new standard requires support for larger public key algorithms (such as RSA-3072, RSA-4096, and Ed25519), stricter enforcement of PIN complexities, support for Secure Channel Protocol (SCP11), and deeper integration with modern authentication standards like FIDO2. FIPS 140-3 also introduces new physical security mandates, such as restricted NFC usage during device transit to prevent manipulation.
Notably, YubiKeys are the only 140-3 dual-certified token for FIPS, and the YubiKey is the only DoD-approved authenticator authorized to hold both DoD PKI credentials and FIDO2 passkeys. This unique dual capability is an important factor for the public sector, allowing agencies to bridge traditional legacy environments (like CAC/PIV Smart Sard systems) with modern, phishing-resistant FIDO2 passwordless architectures on a single hardware device.
What is the difference between FIPS validated and FIPS compliant?
A FIPS-validated device has been independently tested and validated by a NIST-accredited lab to meet strict security controls. When a product achieves certification, it is officially listed in NIST’s Cryptographic Module Validation Program (CMVP) database. Federal agencies are required to use FIPS validated devices.
When a vendor claims a product is “FIPS compliant,” it is essentially a self-declared claim. It usually means the product utilizes FIPS-approved cryptographic algorithms, but it has not undergone the rigorous, formal third-party testing required for certification. The U.S. government is very clear on this matter: under the Federal Information Security Modernization Act (FISMA), federal agencies and their contractors are strictly required to use FIPS-certified cryptographic modules, not just compliant ones. Ensuring your authenticators are fully certified protects your agency from dangerous compliance gaps.
Any final thoughts as the updated YubiKey 5 FIPS Series lineup becomes available?
Looking at the various DoD memos issued over the last few years, it is clear that Yubico and its FIPS lineup is uniquely positioned in the industry. The 2025 DoD CIO MFA memo explicitly approves YubiKey for FIDO2 passkeys. Combined with prior 2019 DoD approval for PKI credential storage on YubiKeys, this places YubiKey in a named market leadership position across both modern passkeys and existing PKI workflows.
Additionally, the YubiKey 5 FIPS Series meets the requirements to store a Derived PIV credential used by Federal Civilian agencies. As organizations continue their journey to securing identity in the modern landscape, the YubiKey can universally protect high assurance environments with a future-proofed solution.
