YubiKey Capability Statement Federal DOD

Home / YubiKey Capability Statement Federal DOD

Core Competencies

Yubico assists the federal government in its mission to deploy strong cybersecurity by providing highest-assurance multi-factor and passwordless authentication with the YubiKey, a FIPS 140-3 validated hardware security key that is an alternative to Personal Identity Verification (PIV) and Common Access Card (CAC). YubiKeys offer phishing-resistant MFA to meet the highest Authentication Assurance Level 3 requirements (AAL3) of NIST SP800-63B guidelines.

Why is YubiKey the right solution?

DoD CIO memorandum on Multi-factor Authentication, October 2025 – YubiKey is the only authenticator authorized to hold both DoD PKI credentials and FIDO2 passkeys
DoD CIO memorandum on Approval of Multi-Factor Authentication Alternatives—RSA and YubiKey, 14 April 2017: Certifies YubiKeys as DoD-approved alternative MFA and may be used to authenticate to non-privileged user accounts
National Security Agency (NSA) Cybersecurity Information Guidance, Selecting Secure Multi-factor Authentication Solutions, October 2022: YubiKey listed in MFA evaluation guidance as an AAL3 capable authenticator
FIPS 140-3 validated: Meets Authentication Assurance Level 3 requirements (AAL3) of NIST SP800-63B (Certificate #5291)
Meets Zero Trust and phishing-resistant multi-factor authentication (MFA) requirements as listed in May 12, 2021 U.S. White House Executive Order 14028 on Protecting the Nation’s Cybersecurity and recommended in Jan 19, 2022 U.S. White House National Security Memorandum/NSM-8 on Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems
WebAuthn, FIDO, FIDO2, DFARS/NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) compliant
Support for Defense Information Systems Agency (DISA) Purebred derived credentials for credentialing of YubiKey for BYOD/BYOAD mobile devices
Usable with both GFE/personal laptops, desktops, smart phones and tablets
Supported protocols: PIV/CAC, OTP, FIDO2/WebAuth
Secure United States manufacturing and supply chain processes for trustworthy components and delivery
Strongest authentication: Non PIV/CAC eligible and mission partners, BYOD/BYOAD & closed/air-gapped networks

Summary of Benefits

(3 year risk adjusted)

265% return of investment

75% reduced password related help desk tickets

80% faster authentication

99.9% blocked phishing-attempts

In a commissioned study conducted on behalf of Yubico, Forrester Consulting interviewed security leaders from five enterprises using YubiKeys and found that for the composite organization, YubiKeys slashed exposure to security breaches from phishing and credential thefts by 99.9%. Further, YubiKeys reduced administrative overhead while providing a flexible, dependable user experience.

Past Performance

U.S. Government: Widely deployed in the U.S. Government with over 150 unique implementations

FIPS 140-3 validated: Meets Authentication Assurance Level 3 requirements (AAL3) of NIST SP800-63B (Certificate #5291).

Industry: Many of the world’s largest technology companies and financial institutions use YubiKeys

Google reduced account takeovers to zero with YubiKeys, used by over 114,000 employees
4 of the top 10 U.S. banks use YubiKeys. The nation’s fifth-largest consumer bank expanded YubiKeys from mobile-restricted call centers to over 100,000 employees
Facebook eliminated targeted attacks and expanded YubiKeys from engineering to over 50,000 employees

Technology Partners: Yubico works closely with technology partners to fuel growth, innovation and results that deliver strong authentication solutions and standards for our mutual customers:

Differentiators

Multiple authentication protocols on a single key—PIV/CAC, OTP, FIDO2/WebAuthn
FIPS 140-3 validated strong PIV/CAC alternative with a low total cost of ownership. YubiKeys are easier to deploy especially for remote workers—Yubico works with Sebastian Tech Solutions (STS) for secure logistics/shipping of YubiKeys directly to employees
Unlike managing multiple certificates across mobile devices and PIV/CAC cards, a YubiKey can be used as a portable root of trust across multiple devices including mobile and BYOD/BYOAD, minimizing CapEx and OpEx costs
Unlike mobile-based authenticators, YubiKeys are purpose-built for security and don’t require Government Furnished Equipment (GFE) or a network connection. Phishing and malware resistant, waterproof, crush-resistant, and dustproof
Unlike smart cards, YubiKeys offer anonymity with no visible amplifying personal information when in use

Getting Started

Bailment agreement can be established to obtain Not for Resale (NFR) YubiKeys for proof of concept (POC) programs. Yubico offers solutions engineering support for architecture design and review, and IDP configuration guidance through the POC
Once ready to purchase, Yubico is focused on helping agencies easily access security products and services in a flexible and cost-effective way to heighten security:
- With YubiKey as a Service, agencies can benefit from simple and scalable global deployments of YubiKeys for their workforce, supply chain, and end customers. YubiKey as a Service offers customers a choice of form factors, replacement stock, and priority customer support, all for less than the price of a cup of coffee per month.
- Customers also have access to turnkey Enrollment and Delivery services that help IT get users quickly onboarded with YubiKeys to fast track to phishing-resistance and then get YubiKeys to end users across the world, including corporate and residential addresses. Users can even experience self-service ordering of YubiKeys, giving them the freedom to have the keys shipped to their preferred address anytime they need.
- YubiKey as a Service customers receive continual enhancements to available and new services assuring a smart and future-proofed security investment.

YubiKey Capability Statement

Get the Brief