Yubico’s YubiKey 5 FIPS Series Gains FIPS 140‑3 Validation

TechInsyte Team By · 2 min read
Yubico’s YubiKey 5 FIPS Series Gains FIPS 140‑3 Validation

Yubico announced that its YubiKey 5 FIPS Series has achieved FIPS 140‑3 validation (Certificate #5291) from NIST. The certification positions the hardware token as the only authenticator authorized by the U.S. Department of Defense to hold both DoD PKI credentials and FIDO2 passkeys, a distinction aimed at organizations that must meet modern Zero Trust and compliance mandates.

Yubico Announces FIPS 140‑3 Validation for YubiKey 5 FIPS Series

The company disclosed that the upgraded YubiKey 5 FIPS Series now meets FIPS 140‑3 Overall Level 2 with Physical Security Level 3. Validation was issued under Certificate #5291 and aligns with ISO/IEC 19790:2012. Yubico’s chief product and technology officer, Albert Biketi, said the device is “the only authenticator authorized by the U.S. Government to hold both DoD PKI credentials and FIDO2 passkeys,” enabling a single hardware token to support FIDO2/WebAuthn, PIV/Smart Card, OpenPGP, and OATH OTP.

Technical Enhancements in the New Firmware

The YubiKey 5 FIPS Series ships with firmware 5.7.4, adding several security‑focused features:

  • Support for larger RSA keys (RSA‑3072, RSA‑4096) and Ed25519, meeting DoD memo requirements for stronger public‑key algorithms.
  • Restricted NFC usage during transit to prevent manipulation.
  • Default enhanced PIN complexity across all applications, including FIDO2, PIV, and OpenPGP.
  • CTAP 2.1 improvements such as Force PIN Change and Minimum PIN Length for “enroll on behalf” scenarios.
  • Expanded storage: up to 100 device‑bound passkeys (vs. 25), 64 OATH seeds (vs. 32), and 24 PIV certificates.
  • Enterprise attestation that exposes a unique serial number during FIDO2 registration for asset tracking.
  • New secure channel protocol SCP11 based on asymmetric cryptography.

Form factors include USB‑A, USB‑C, NFC, Lightning, and Nano, ensuring compatibility with laptops, mobile devices, and closed‑network environments.

Relevance for Regulated Enterprises and Government Agencies

The validation addresses a “foundational requirement” for U.S. federal agencies, defense contractors, and other regulated industries transitioning from FIPS 140‑2 to FIPS 140‑3. By combining DoD PKI and FIDO2 capabilities in a single token, Yubico claims the YubiKey 5 FIPS Series can simplify deployments while maintaining compliance with NIST SP 800‑63B Authenticator Assurance Level 3 (AAL3). The device’s high‑assurance level and expanded algorithm support are intended to meet the security baselines of organizations operating in the most demanding environments.

Key Takeaways

  • Yubico’s YubiKey 5 FIPS Series achieved FIPS 140‑3 validation (Certificate #5291) and meets Overall Level 2 with Physical Security Level 3.
  • It is the only authenticator authorized by the U.S. Department of Defense to hold both DoD PKI credentials and FIDO2 passkeys.
  • Firmware 5.7.4 adds larger RSA key support, enhanced PIN policies, expanded passkey storage, and enterprise attestation for asset tracking.

TechInsyte's Take

The FIPS 140‑3 validation gives security‑focused enterprises a hardware token that satisfies both legacy PKI and modern passwordless requirements, potentially reducing the number of devices needed for compliance. Buyers should verify that the expanded algorithm support aligns with their internal policies and assess whether the new attestation features simplify their asset‑management workflows. Ongoing monitoring of any future firmware updates will be important to maintain the validated security posture.

Source: Businesswire

More Articles You'll Love

Continue reading on topics you care about

AppOmni Introduces Marlin AI, First Autonomous SaaS Security
Cybersecurity

AppOmni Introduces Marlin AI, First Autonomous SaaS Security

AppOmni announced the launch of Marlin AI™—the first autonomous AI‑powered SaaS security solution

2 min read
42Crunch Adds Real‑Time API Security to Claude Code
Cybersecurity

42Crunch Adds Real‑Time API Security to Claude Code

42Crunch announced a new integration with Claude Code that embeds its API security platform directly

2 min read
Crypto4A Launches Quantum‑Safe Secrets Platform QxVault™
Cybersecurity

Crypto4A Launches Quantum‑Safe Secrets Platform QxVault™

Crypto4A Technologies Inc. announced that its QxVault™ platform is now generally available. The solution is

2 min read
TechInsyte technology intelligence workspace

About TechInsyte

TechInsyte is a B2B technology news and intelligence platform covering major developments across AI, cloud, cybersecurity, enterprise software, semiconductors, startups, policy, and markets. We focus on the signals that matter for decision-makers.

The idea behind TechInsyte is simple. Technology moves fast, and professionals need clear information without unnecessary noise. New platforms emerge, security risks evolve, enterprise software changes, and the AI shift continues to reshape how companies operate. We help readers understand those developments in a practical and business-focused way.

Our coverage focuses on meaningful technology updates, product launches, enterprise strategy, funding activity, regulatory change, infrastructure trends, and the broader forces shaping the technology industry. The goal is to keep every article clear, relevant, and useful for professionals who need to know what happened, why it matters, and what it could mean next.

TechInsyte is built for readers who want sharper context, cleaner coverage, and a more focused view of technology without the clutter.