The Department of War (DoW) CIO’s office recently released the much-anticipated “Multi-Factor Authentication (MFA) for Unclassified & Secret DoD Networks” memo which provides approval for device-bound FIDO2 passkeys on a YubiKey as an approved method for Department of Defense (DoD) use cases. Not only did that approval come, but a multitude of use cases were provided on when to use approved methods – along with clarification regarding DoD’s primary credential.
For the first time, agencies are authorized to implement device-bound FIDO2 passkeys protected on YubiKeys, and finally make the transition to phishing-resistant authentication without the use of passwords for non-PKI authentication. The memo highlights Yubico’s flagship solution – the YubiKey – as the only approved FIDO authenticator that is also FIPS certified. This means that agencies can use the YubiKey 5 FIPS Series to store both a DoD PKI credential as well as multiple DoD FIDO2 passkeys all on a single key!
An item of pushback sometimes seen across the DoD has been that previous policy did not state a specific authentication option was authorized for their specific use case. The new memo does a great job at providing use cases, and eliminating that previous gap for a wide array of use cases such as GFE shared mobile devices, personal mobile devices, IT privileged users and others. This in turn falls under CAC eligible users, non-CAC eligible users, or operating on a secret fabric.
Another key highlight of this memo is the clarification it provides around DoD’s primary credential. Previous policy seemed to bounce between defining DoD’s primary credential as DoD PKI or as CAC. For customers looking to adopt YubiKey with DoD PKI credentials, this could cause an issue depending on their authorizing official’s interpretation of policy. Now it is clearly stated that DoD PKI is the primary credential, only stating the CAC as an example of DoD PKI. Per the new memo, DoD PKI credentials on a YubiKey are covered in the 2019 DoD Mobile PKI Requirements memo.
If you examine the certificates provisioned to a YubiKey via DISA Purebred, you will see they are medium-hardware mobile PKI credentials. Referencing the 2019 memo, Purebred PKI credentials on a YubiKey are valid for the following:
- Authentication to information systems rated Sensitivity Level 4 and below (including unclassified NSS)
- DoD NIPR Wifi authentication
- DoD NIPRNet VPN authentication
- Digitally signing/encrypting emails and documents
- DoD network logon (e.g. Windows Logon)
It has never been more clear that a YubiKey with Purebred DoD Mobile PKI credentials can be used for authentication in almost any scenario where one would normally use their CAC, including logging in to a DoDIN machine. While the 2019 DoD memo approved the YubiKey 4 FIPS Series as authenticators, the newly released 2025 memo clarifies that all FIPS certified YubiKeys are approved, helping DoD best support the mission using modern authentication such as the YubiKey.
For one of the key use cases called out in the memo – Bring Your Own (BYO) mobile device, the memo states that Purebred PKI is not available, as provisioning credentials directly to a personal phone is not allowed. However, another option does exist! There are YubiKey form factors for any mobile device, whether USB-C, lightning, or NFC. In fact, provisioning a Purebred PKI credential to a YubiKey for BYO devices, allowing access to DoD web services, AVD, or Intune MAM-WE, is one of our largest use cases. A single YubiKey can be used on BYO devices, shared government mobile devices, DoDIN workstations and more.
With the growing threat of AI and Agentic AI, where phishing and other sophisticated attacks have become faster and more targeted at massive scale than ever before, government and private sector organizations need to protect all of their users to reduce breach exposure. The most security-conscious and smart enterprises around the world rely on YubiKey as a Service – an industry-first cybersecurity service that fast tracks organizations to strong phishing resistance and passwordless with ease. Offering organizations a flexible and cost effective way to adopt modern cybersecurity at speed and scale, the hardware authentication as a service greatly simplifies how organizations can protect the entire ecosystem including the workforce, contractors, suppliers and end users.
If you have not seen this latest MFA memo yet, visit the DoW CIO library website and take a look. If you have questions or are interested in bringing the gold standard of phishing-resistant security YubiKeys to your organization, reach out to our DoD sales team here for more information.
