YubiKey Profiles
YUBIKEY FIPS
Profile for YubiKey FIPS
-
24 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 20 Key Management Keys) loaded by ActivID CMS
-
PIV EP Buffer Objects
-
1 synchronous OATH_HOTP Object loaded by ActivID CMS
-
PIN, PIV AUTHENTICATION, CHUID and Printed Information objects are mandatory. All other objects are optional.
-
PIN Numeric Only
-
The following key must be present in the HSM for profile issuance: YBTK_FINAL_ADMIN_KEY_9B_AES_32.
YubiKey 4 FIPS devices are deprecated starting with CMS 6.3.
If you are using an older YubiKey firmware version (earlier than 5.4), you need to add the YBTK_FINAL_ADMIN_KEY_9B_TRIPLE key to the HSM.
The OATH application personalization is not supported on YubiKey 5, but it is supported on YubiKey 4 FIPS and YubiKey 5 FIPS devices. However, OATH personalization is only available using the ActivID Authentication Server.
If the OATH application is not personalized in the policy, then the native OTP slot will not be removed when the device is recycled.
|
Supported Devices |
Supported Pre-Issuance IDs |
||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| YubiKey 4 FIPS (deprecated) |
 YUBIKEY_TOKEN
|
||||||||||||||||||||||||||||
| YubiKey 5 & YubiKey 5 FIPS |
YUBIKEY_TOKEN
|
PIV / CIV - YubiKey
PIV / CIV profile for YubiKey and YubiKey FIPS (firmware version 5.3 or higher) with OATH and FIDO.
-
24 2048-bit or 3072-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 20 Key Management Keys) loaded by ActivID CMS
-
PIV EP Buffer Objects
-
OATH HOTP support
-
FIDO support
-
PIN, PIV AUTHENTICATION, CHUID and Printed Information objects are mandatory. All other objects are optional.
-
PIN Numeric Only
-
In addition to the card pre-issuance keys, the following keys must be present in the HSM for profile issuance. As these keys are post-issuance keys, they should be generated in the HSM:
-
MK_SD_ACE_AES_OPSC_1_ENC, _MAC, _KEK (16-byte AES keys)
-
YBTK_FINAL_ADMIN_KEY_9B_AES_32 (32-byte AES key)
-
If you are using YubiKey FIPS with firmware version 5.7.x, then you must set the minimum PIN size to 8.
If FIDO is enabled in the policy:
the FIDO PIN policy is Not managed by ActivID CMS. For details about the FIDO PIN policy, you must refer to the YubiKey manager.
the FIDO application will not be removed when the device is recycled. If you want to reset the FIDO application and the FIDO application PIN, you must use the YubiKey manager.
For details about using the YubiKey manager, refer to the YubiKey documentation.
OATH personalization is only available using the ActivID Authentication Server.
If the OATH application is not personalized in the policy, then the native OTP slot will not be removed when the device is recycled.
|
Supported Devices |
Supported Pre-Issuance IDs |
||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| YubiKey 5 & YubiKey 5 FIPS |
YUBIKEY_DEFAULT
|
