IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
Yubico wins FIPS 140-3 nod for YubiKey 5 FIPS Series
MFA IAM Risk & Compliance

Yubico wins FIPS 140-3 nod for YubiKey 5 FIPS Series

Thu, 28th May 2026 (Today)
Joseph Gabriel Lagonsin
JOSEPH GABRIEL LAGONSIN News Editor

Yubico has received FIPS 140-3 validation for the latest version of its YubiKey 5 FIPS Series. The device is listed by the US government as the only authenticator authorised to hold both DoD PKI credentials and FIDO2 passkeys.

The validation appears under Certificate #5291 from the National Institute of Standards and Technology and marks the latest certification milestone for the security key maker as government agencies, defence contractors and regulated industries move from FIPS 140-2 to FIPS 140-3.

FIPS 140-3 is the current US standard for cryptographic modules and is more closely aligned with the international ISO/IEC 19790:2012 standard. The upgraded YubiKey 5 FIPS Series meets FIPS 140-3 Overall Level 2, with Physical Security Level 3, and can support compliance with NIST SP 800-63B Authenticator Assurance Level 3 requirements.

The update is aimed at organisations that need to protect sensitive information while meeting formal security and compliance requirements, including federal bodies, defence organisations and businesses in tightly regulated sectors.

A key distinction is approval to store both Department of Defence public key infrastructure credentials and FIDO2 passkeys on the same device. This allows a single hardware token to support both legacy smart card-based authentication and newer passwordless login methods.

The YubiKey 5 FIPS Series supports FIDO2 and WebAuthn, PIV smart card authentication, OpenPGP and OATH one-time passwords. Yubico is positioning the range as a bridge for organisations shifting from traditional identity systems to passkey-based authentication.

Product changes

The updated range runs on YubiKey 5.7.4 firmware and includes several changes for regulated environments. These include support for larger RSA-3072 and RSA-4096 key sizes, as well as Ed25519, broadening the set of public key algorithms available to customers.

Other updates include restricted NFC use during transit on NFC-enabled models, a measure intended to prevent manipulation before deployment. Stronger PIN complexity settings are also enabled by default across FIDO2, PIV and OpenPGP applications.

Yubico has implemented CTAP 2.1 in the new series, adding FIDO2 PIN controls such as Force PIN Change and Minimum PIN Length. According to the company, these features address requirements in enrolment scenarios where credentials may be set up on behalf of end users.

Storage limits have also increased. The devices can now hold up to 100 device-bound passkeys, up from 25, along with 64 OATH seeds, up from 32, and 24 PIV certificates.

Another addition is enterprise attestation, which allows identity providers to retrieve unique identifiers during FIDO2 registration and read the key's serial number at that stage. Yubico said this can simplify asset tracking for organisations managing large fleets of authentication devices.

The company has also added SCP11, a secure channel protocol based on asymmetric cryptography. The product line will be offered in USB-A, USB-C, NFC, Lightning and Nano formats to support a range of laptops, mobile devices and closed-network environments.

Security hardware vendors have been adapting their products as buyers respond to phishing threats, tighter compliance obligations and a broader shift towards passkeys. In this market, certification status can carry weight because agencies and regulated businesses often require formal validation before approving products for internal use.

Yubico, which is listed on Nasdaq Stockholm, has built its business around physical authentication keys and has worked on standards including FIDO2, WebAuthn and FIDO U2F. Its products are used in more than 160 countries, according to the company.

Albert Biketi, Yubico's chief product and technology officer, said the certification reflects demand from government and regulated organisations for compliant, hardware-backed passwordless authentication.

"Yubico is setting a new standard for high-assurance authentication, combining government-grade compliance with hardware-backed passkeys. YubiKey 5 FIPS Series is the only authenticator authorised by the U.S. Government to hold both DoD PKI credentials and FIDO2 passkeys, giving government and regulated organisations a secure bridge to passwordless. With the transition from FIPS 140-2 to FIPS 140-3, government agencies and regulated organisations are moving to a new global standard for cryptographic security, and Yubico is leading this shift with the upgraded YubiKey 5 FIPS Series," Biketi said.

Related stories
Experts warn passwords no longer sufficient in AI era
Australian small firms lack security teams, Zoho says
Genetec urges tighter identity controls for security systems
Why 'strong passwords' can't save you from AI
KnowBe4 finds 86% of phishing attacks now AI-driven
Top stories
Ping Identity adds controls for AI agents in businesses
Brightcove launches AI tools for video ad targeting
Alibaba Cloud joins PyTorch Foundation as Platinum member
Degreed appoints Elizabeth Tan Levy as Chief Product Officer
CFOs risk falling behind without scalable AI strategy