YubiKey 5 FIPS Series Gains FIPS 140-3 Validation

Yubico has announced that its next-generation YubiKey 5 FIPS Series has achieved FIPS 140-3 validation, marking a major milestone for organisations that require high-assurance authentication and compliance with modern cybersecurity standards.

The certification, published by the National Institute of Standards and Technology (NIST) under Certificate #5291, validates the cryptographic security of the YubiKey 5 FIPS Series. The devices are designed to support Zero Trust initiatives and are trusted by government agencies, defence organisations, and regulated industries worldwide.

“Yubico is setting a new standard for high-assurance authentication, combining government-grade compliance with hardware-backed passkeys,” said Albert Biketi, Chief Product and Technology Officer at Yubico.

“YubiKey 5 FIPS Series is the only authenticator authorised by the U.S. Government to hold both DoD PKI credentials and FIDO2 passkeys – giving government and regulated organisations a secure bridge to passwordless. With the transition from FIPS 140-2 to FIPS 140-3, government agencies and regulated organisations are moving to a new global standard for cryptographic security – and Yubico is leading this shift with the upgraded YubiKey 5 FIPS Series.”

For organisations that protect sensitive information, including federal agencies, defence contractors, and critical infrastructure providers, the transition to FIPS 140-3 is becoming an important compliance and security requirement.

What FIPS 140-3 Validation Means for Security Teams

FIPS 140-3 replaces the previous FIPS 140-2 standard and introduces updated requirements for cryptographic modules used in government and regulated environments.

The framework aligns closely with the international ISO/IEC 19790:2012 cryptographic standard, helping organisations establish a consistent security baseline across global operations.

The YubiKey 5 FIPS Series meets FIPS 140-3 Overall Security Level 2 and Physical Security Level 3 requirements. The devices also support compliance with NIST SP 800-63B Authenticator Assurance Level 3 (AAL3), one of the highest levels of identity assurance.

YubiKey 5 FIPS Series Targets Government and Enterprise Use

Yubico says the upgraded YubiKey 5 FIPS Series remains the only authenticator authorised by the U.S. Department of Defense to hold both DoD Public Key Infrastructure (PKI) credentials and FIDO2 passkeys on a single device.

This capability allows organisations to streamline authentication deployments while strengthening protection against phishing attacks.

Support for DoD PKI and FIDO2 Passkeys

The YubiKey 5 FIPS Series supports a broad range of authentication methods, including:

• FIDO2 and WebAuthn
• PIV smart card authentication
• OpenPGP
• OATH one-time passwords (OTP)

By combining traditional PKI authentication with modern passkeys, organisations can accelerate passwordless adoption without deploying multiple authentication devices.

Meeting Zero Trust Requirements

As organisations continue adopting Zero Trust security frameworks, phishing-resistant authentication remains a key requirement.

Hardware-backed passkeys stored on a YubiKey help eliminate credential theft risks associated with passwords, SMS codes, and many software-based authentication methods.

New Security Features in YubiKey 5 FIPS Series

The updated YubiKey 5.7.4 firmware introduces several enhancements designed for government, defence, and enterprise environments.

Stronger Cryptographic Algorithms

The upgraded platform now supports:

• RSA-3072
• RSA-4096
• Ed25519

These additions provide stronger cryptographic options and align with evolving government requirements for modern public key infrastructure.

Enhanced PIN Protection

PIN complexity is now enabled by default across FIDO2, PIV, and OpenPGP applications.

The update also introduces CTAP 2.1 improvements, including Force PIN Change and Minimum PIN Length controls, helping organisations meet stricter security policies.

Expanded Passkey Storage

Yubico has significantly increased credential storage capacity.

The YubiKey 5 FIPS Series now supports:

• Up to 100 device-bound passkeys, up from 25
• Up to 64 OATH credentials, up from 32
• Up to 24 PIV certificates

The increased capacity allows users to secure more applications and identities on a single device.

Enterprise Attestation Capabilities

Enterprise Attestation allows identity providers to retrieve unique device identifiers during FIDO2 registration.

This capability can simplify asset management and inventory tracking by enabling organisations to associate physical YubiKeys with individual users and systems.

New Secure Channel Protocol

The updated platform also introduces SCP11, a secure channel protocol based on asymmetric cryptography.

The addition strengthens secure communications between the device and management systems while supporting modern enterprise security requirements.

Available Form Factors and Compatibility

The YubiKey 5 FIPS Series will be available in multiple form factors, including:

• USB-A
• USB-C
• NFC
• Lightning
• Nano

The range is designed to support modern laptops, mobile devices, secure workstations, and closed-network environments.

Why the FIPS 140-3 Upgrade Matters

Government agencies and regulated organisations are increasingly moving toward stronger authentication controls as cyber threats continue to evolve.

The FIPS 140-3 validation of the YubiKey 5 FIPS Series provides organisations with a certified, phishing-resistant authentication solution that supports both traditional PKI deployments and modern passwordless strategies.

With support for stronger cryptographic standards, expanded passkey storage, and compliance with modern government requirements, the upgraded YubiKey 5 FIPS Series positions itself as a key authentication platform for organisations operating in high-security environments.

For more information on the YubiKeys 5 FIPS Series and 140-3 Validation, read Yubico’s blog here or visit: https://www.yubico.com/products/yubikey-fips/.

About Yubico

Yubico (Nasdaq Stockholm: YUBICO) is a modern cybersecurity company on a mission to make the digital world safer for everyone. As the inventor of the YubiKey, the company sets the gold standard for phishing-resistant, hardware-backed authentication. It helps stop account takeovers while making secure login simple.

Since 2007, Yubico has helped shape global authentication standards. It co-created FIDO2, WebAuthn, and FIDO U2F, and introduced the original passkey. Today, its technology secures people and organisations in over 160 countries. It transforms how digital identity is protected from onboarding to account recovery.

Trusted by security-conscious brands, governments, and institutions, YubiKeys work out of the box with hundreds of apps and services. They deliver fast, passwordless access without friction or compromise.

Yubico believes strong security should never be out of reach. Through its philanthropic initiative, Secure it Forward, the company donates YubiKeys to nonprofits supporting at-risk communities.

Headquartered in Stockholm, Sweden; Santa Clara, California; and Singapore, Yubico has earned recognition as one of TIME’s 100 Most Influential Companies and Fast Company’s Most Innovative Companies. Learn more at www.yubico.com.

About Cyber News Live

Stay ahead with Cyber News Live! First, we deliver real-time reporting and sharp threat intelligence. Additionally, we provide educational content for professionals, practitioners, and curious minds. From there, whether it’s breaking breach alerts or deep dives into attack vectors, we cover it all. Ultimately, our mission is clear: we make complex cyber topics understandable. And beyond that, we ensure critical knowledge stays accessible to everyone.