5.7 Firmware Specifics — YubiKey Technical Manual documentation (2024)

  • 5.7 Firmware Specifics
  • View page source

This section provides detailed descriptions of the features enabled by the 5.7 firmware (includes 5.6.x).

  • CTAP 2.1 Feature Summary
  • FIDO2 Extensions
  • Enterprise Attestation
  • Minimum PIN Length and Minimum PIN Length Extension
  • Force PIN Change
  • Always User Validation
  • Blob Storage
  • FIDO Level 2
  • PIV Enhancements
  • PIN Complexity
  • Expanded Storage (FIDO2 and OATH)
  • Restricted NFC
  • Yubico Crypto Library

CTAP 2.1 Feature Summary

CTAP 2.1 is the evolution - and first update - of CTAP 2.0, which was introduced for FIDO2/WebAuthn several years ago. The new features enabled by CTAP 2.1 are primarily enterprise-focused, but also support new FIDO2 use cases. Yubico supported CTAP 2.1 features even before that standard was approved, for example, credential management introduced in 5.2.1 (see Managing Credentials) and uvRetries introduced in 5.5.0.

In firmware 5.7 the PIV and OpenPGP applications both support unicode PINs, as well as counting each unicode code point as a single character.

These CTAP 2.1 features are also available in the Security Key series for FIDO-only deployments (see Security Key Series).

CTAP 2.1 support gives organizations:

  • Improved control of the CTAP 2.1 authenticators they have deployed
  • Ability to list compliance requirements such as:
    • Permissible authenticators
    • PIN requirements
  • More granular control of the end user experience
  • Additional capabilities for CMS vendors through the storage of additional data, etc.:
    • To configure authenticators
    • To manage the authenticator lifecycle
  • Management beyond the scope of FIDO2, through the ability to associate the FIDO2 credentials on the authenticator with other credentials on other protocols, such as certificates on the PIV module.

FIDO2 Extensions

FIDO2 Extensions Available per Firmware Version
New Capabilities

YubiKey 5



Key Series


Key Series



PIN Management Flexibility

Temporary FIDO2 PIN can be set

(forces user to change upon next use)

Configure FIDO2 minimum PIN lengthYesYesYes
Enhanced Asset Tracking

Capable of Enterprise Attestation

(requires custom configuration)


Serial number retrievable by client

software in Windows without Admin rights


Also applies

to earlier




New in 5.7

Enhanced Smart Card Capabilities (PIV)
RSA-3072 and RSA-4096 supportYes
Ed25519 and X25519 key typesYes
Future-proofed for Compliance
Enhanced PIN complexity









Default minimum PIN length of 6Yes
Enhanced Credential Storage
Support for 100 passkeysYesYesYes
Support for 24 PIV certificatesYes
Support for 64 OATH credentialsYes
Support for 2 OTP seedsYes

Enterprise Attestation

Enterprise Attestation (EA) enables Identity Providers (IdPs) to read the serial number (or other unique identifier specific to the organization) on custom-programmed keys during FIDO2 registration. This satisfies a variety of asset tracking requirements, and can aid in account recovery by enabling an end user to prove they have a specific FIDO2 device. In addition to support from the Relying Party (RP) and/or IdP, EA requires platform support (see Current Platform/RP Support).

EA’s ability to identify individual authenticators as opposed to just the type of authenticator changes the privacy model of the FIDO protocol, making the FIDO credential behave more like a certificate. Typical use-cases are:

  • Tracking of individual authenticators on registration to ensure only authenticators issued by the organization are used. This resolves a common compliance requirement that previously could only be solved by policy or by custom AAGUIDs.
  • If the organization knows what serial number a user was issued but does not see it registered or did not register it on the user’s behalf, the organization can take appropriate steps to help the end user register their authenticator. This will help organizations roll out phishing-resistant MFA.
  • Tying the FIDO credential to a PIV certificate by matching serial numbers (or other device-specific information) between the FIDO2 EA certificate and the PIV Attestation certificate.
  • Identify individual authenticators in troubleshooting scenarios. When a key is lost or broken, a user can be guided by an IT admin who knows what authenticator holds which credential. The admin can advise which key is being used and which should be de-activated. The serial number of a back-up authenticator can be identified, too.

Developers seeking more information can refer to Enterprise Attestation on developers.yubico.com.

Current Platform/RP Support

At present, few RPs support EA; however there is platform support for it in Chrome and some Chromium based browsers. Windows 11 is required on Windows platforms.

CMS vendor support for EA is currently a little sparse; however, that is rapidly changing.

Minimum PIN Length and Minimum PIN Length Extension

minPINLength enables the minimum PIN length to be set on an authenticator. The minPINLength needs to be set locally by a client tool such as YubiKey Manager/ykman. Once set, it cannot be shortened without resetting the authenticator.

minPINLengthExtension enables IdPs to support FIDO registration self-enrollment processes by enforcing the configured minimum PIN length. The Relying Party (RP), if configured via an allowed list configured on the YubiKey, is enabled to query the minPINLength of the authenticator.

This extension resolves compliance requirements for organizations that need to enforce use of specific PIN lengths. Before 5.7, this was only possible through the deploymnent of YubiKey 5 FIPS Series (authenticators certified for FIPS 140-2 has a minimum PIN length of 6) or custom configuration, in which there were no checks the RP could perform unless the authenticator had a custom AAGUID.

Current Platform/RP Support
No current RP supports this feature, however there is platform support for it in Chrome and some Chromium based browsers. Windows 11 is required on Windows platforms.

Force PIN Change

Force PIN change or forcePINChange (FIDO 2.1 specification) enables vendors or IT admins to prompt end-users to change their FIDO2 PIN. This is valuable in a pre-registration/enroll on behalf of scenario where the organization does not want to know their end users’ PINs. End-users are prompted to set their own PIN (may be combined with minPINLength), i.e. a PIN not known by the organization.

This feature also minimizes the number of helpdesk calls due to forgotten PINs because end-users can set PINs that are meaningful to them.

Current Platform SupportForce PIN change only requires support on the platform, and can only be set by communicating with the YubiKey directly. Chrome and some Chromium-based browsers support it. Windows 11 is required on Windows platforms.

There is no need for explicit RP support, the force PIN change (forcePINChange) flag is set on the client/platform side, which is where it will trigger the flow.

Always User Validation

alwaysuv was introduced to prompt users for user verification (UV) each time, which provides consistency in behavior between different platforms and RPs. End-users are often confused because the setting uv=preferred/discouraged behaves differently depending on whether the user is on a macOS or a Windows machine.

This feature is enabled by default in the YubiKey Bio: it always asks for biometrics and never “plain touch” in a second factor flow when UV is not necessarily required. Otherwise an end user might touch the fingerprint sensor with an unenrolled finger and successfully authenticate when only performing User Presence (UP), therefore thinking they “bypassed the biometrics” or that the biometric sensor was faulty, allowing an unenrolled finger to authenticate.

An organization might want to enable it so that users always enter their PIN, ensuring they are less likely to forget it.

Current Platform/RP Support
This setting is internal to the authenticator and requires no specific platform or RP support.

Blob Storage

There are two blob storage options available on the YubiKey 5.7. Both Credential Blobs and Large Blobs require support on the platform as well as from the RP.

Credential Blob

A credBlob is 32 bytes of unencrypted storage per credential that can be set during registration and retrieved during authentication for discoverable credentials. This feature allows for a small amount of secret data to be associated with a discoverable credential during makeCredential. The blob is opaque to the authenticator. This enables IdPs to include a small amount of information such as a certificate thumbprint to aid in authentication scenarios. PII can be stored in this field if it is used with credProtect.

There is a great variety of use cases, as the credBlob enables storage of arbitrary data. For example, it can:

  • Be used as HPKP-like public key hash to identify, e.g., kerberos certificates to trust when using a given credential (“on prem AD”).
  • Provide information about the issuance of the specific credential.

Large Blob

authenticatorLargeBlob storage is 4096 bytes of compressed, shared storage on the authenticator. It is managed by the platform, and is always encrypted with the Large Blob Key - a per-credential symmetric encryption key that is used by the platform to read the contents of the large blob. Large blobs can be used for storing authentication certificates or other artifacts linked to the private FIDO2 key stored on an authenticator.

The large blob feature allows for a “large” amount of data to be added to a discoverable credential upon creation. The typical use case of this is a public SSH key.

Creating an SSH key using a discoverable FIDO2 credential enables the authenticator to be hardware-bound and perform SSH authentications using a key stored in the FIDO2 applet.

With the addition of large blob the user can take the authenticator to a new machine without needing to copy the public part to the new client machine.

Any other data can be associated with the key, such as linkage to a PIV certificate or details on the creation of the credential.

Note that a largeBlobKey is necessary to decrypt the data in the Large Blob.

FIDO Level 2

YubiKey 5.7 will undergo FIDO Level 2 certification for assurance of attestable hardware-bound credentials. This enables YubiKeys for use with e-government use cases (citizen-facing) and corporate compliance mandates that require FIDO L2 certification.

PIV Enhancements

Additional Key Types Supported

In accordance with the August 2023 Department of Defense memo on stronger public key algorithms, the 5.7.x firmware supports RSA-3072 and RSA-4096.

In addition, the 5.7.x firmware also supports the Ed25519 and X25519 key types.

PIV Management Key (AES)

Given that after December 31, 2023, three-key TDEA is disallowed for encryption unless specifically allowed by other NIST guidance (decryption using three-key TDEA is allowed for legacy use) the default management key with the 5.7.x firmware uses AES-192 instead of TDES. The management key uses the same default value as previous keys (TDES and AES-192 keys are the same length. If you need to know what these values actually are, go to the “General Information” section in the “Yubico PIV Tool” guide on our developers’ site).

Prior to the release of the 5.4.2 firmware, the PIV management key was a TDES key. This feature expanded the management key type held in PIV slot 9b to include AES keys (128, 192 and 256) as defined in SP 800-78-4 Cryptographic Algorithms and Key Sizes for Personal Identity Verification <SP800-78-4, section 5). The PIV management key in AES format enables current and future FIPS-compliant CMS services.

For additional technical information, see PIV AES Management Key in Smart Card (PIV Compatible).

Advanced Key Management Functions

With the 5.7.x firmware, the PIV application supports advanced key management functions such as moving and deleting keys:

  • The ability to move keys enables retaining retired encryption keys on the device to decrypt older messages.
  • The ability to delete keys enables destroying key material without overwriting with bogus data or resetting the PIV application.

Generate a New Key Pair

The four new algorithms (alg) that can be used for key generation are:

  • RSA-3072 (0x05)
  • RSA-4096 (0x16)
  • Ed25519 (0xE0)
  • X25519 (0xE1)

For more information, see Generate asymmetric key pair.

Import a Key

The four new algorithms (alg) that can be used for key import are:

  • RSA-3072 (0x05)
  • RSA-4096 (0x16)
  • Ed25519 (0xE0)
  • X25519 (0xE1)

For more information, see Import asymmetric key pair.

Below is the updated list of tags for the import data. Values followed by an asterisk (*) are new for firmware 5.7.

List of Tags for Import Data
AlgorithmsKey ElementTag

RSA-1024 (0x06)

RSA-2048 (0x07)

RSA-3072 (0x05)*

RSA-4096 (0x16)*

prime P0x01
prime Q0x02
prime p exponent dP0x03
prime q exponent dQ0x04
CRT coefficient QInv0x05

ECC-P-256 (0x11)

ECC-P-384 (0x14)

private value s0x06
Ed25519 (0xE0)*seed0x07*
X25519 (0xE1)*seed0x08*

Move a Key

Keys can be moved from any slot except F9 (attestation) to any other slot except F9 using the instruction 0xF6.

Moving a Key
P1Destination slot
9A, 9C, 9D, 9E,
82, 93, 84, 85, 86, 87, 88, 89, 8A, 8B, 8C, 8D, 8E, 8F,
90, 91, 92, 93, 94, 95
P2Source slot
9A, 9C, 9D, 9E,
82, 93, 84, 85, 86, 87, 88, 89, 8A, 8B, 8C, 8D, 8E, 8F,
90, 91, 92, 93, 94, 95

Delete a Key

Any key can be deleted from any slot, including F9 (Attestation) using the instruction 0xF6 with a value of 0xFF for P1.

Deleting a Key
P2Source slot
9A, 9C, 9D, 9E,
82, 93, 84, 85, 86, 87, 88, 89, 8A, 8B, 8C, 8D, 8E, 8F,
90, 91, 92, 93, 94, 95

YubiKey PIV Metadata

YubiKey 5 PIV metadata enables services and client software to obtain information about PIV keys from a central location, which means it is no longer necessary to query PIV attestation. The YubiKey PIV application can therefore report on characteristics of cryptographic keys in the specified PIV slot. Integration with CMS vendors is thus facilitated by YubiKey PIV metadata.

PIV metadata is available with the 5.3.0 firmware. For details, see the Get Metadata section of the PIV extensions.

PIN Complexity

PIN Complexity is available on YubiKeys with firmware version 5.7.0 and later.


The PIN complexity feature is available only with custom configuration, specified before you order keys.

This feature prevents users from adopting simple patterns or common PINs, and thereby significantly reduces the risk of users setting easily guessable PINS on their devices.

When PIN complexity is enabled:

  • It applies to all the applications on the YubiKey that process PINs.

  • The PINs for the different applications are all still separate and distinct, but they will all follow the same set of rules.

  • It is applied to PINs for the following protocols on the YubiKey:

    • FIDO2
      • PIN
    • PIV
      • PIN
      • PUK
    • OpenPGP
      • user PIN
      • admin PIN
      • reset code
    • yubihsm-auth
      • credential PINs
      • YubiKey access codes
    Unicode Characters

    In firmware 5.7, the support for Unicode PINs has been extended to include the PIV and OpenPGP applications. Each unicode code point is counted as a single character.

    PIN Blocking

    The PINs that will be blocked are those that:

    • Are less than 6 characters
    • Contain only one unicode character, e.g. 111111
    • Are on the following blocklist:
      • 123456
      • 123123
      • 654321
      • 123321
      • 112233
      • 121212
      • 123456789
      • password
      • qwerty
      • 12345678
      • 1234567
      • 520520
      • 123654
      • 1234567890
      • 159753
      • qwerty123
      • abc123
      • password1
      • iloveyou
      • 1q2w3e4r

Expanded Storage (FIDO2 and OATH)

The FIDO2 and OATH applications both have increased storage capacity. FIDO2 has been increased to 100 discoverable credentials (aka Passkeys), and OATH storage has been increased to 64 seeds. As before, all storage limits are per-application, so users can store data up to the maximum for each application simultaneously for a potential total of 190 credentials:

  • Up to 100 passkeys
  • 24 PIV certificates (limited by overall memory used)
  • 64 OATH seeds
  • 2 OTP seeds

Restricted NFC

Restricted NFC mode prevents wireless device manipulation before a YubiKey NFC with the 5.7 firmware is taken out of its blister pack or other packaging such as a tray. To ensure that these keys cannot be tampered with during shipping, this mode is enabled by default on new NFC keys with the 5.7 firmware.

When these keys are taken out of their packaging, the only permitted action via the NFC connection is reading the URL configured by Yubico on the NDEF tag set by Yubico. Because both major mobile OSs read NDEF tags and open URLs by default, users immediately learn how to disable Restricted NFC mode. The NDEF tag is set to https://www.yubico.com/getting-started/.

When tapped against a mobile device, a YubiKey 5.7 NFC will cause the browser to open to the configured URL with the instructions for enabling full NFC operation. The end user is instructed to plug the key into USB power such as a USB charger or computer USB port for 3 seconds. This action is sufficient to disable Restricted NFC mode. The user can re-enable the restriction as often as they desire using the Yubico Authenticator or the YubiKey Manager/ykman.

Yubico Crypto Library

Over the past few years Yubico has developed a library in-house that performs the underlying cryptographic operations (encryption, signing, etc.) for RSA and ECC.

Click for Yubico Support.

Cookies | Privacy Policy

5.7 Firmware Specifics — YubiKey Technical Manual  documentation (2024)


What is the YubiKey technical detail? ›

The YubiKey is designed to attach to a standard “Type A” port. The YubiKey is a “low speed” USB device (1.5 MBit/s) which conforms to the USB 2.0 specification. The YubiKey emulates an USB HID keyboard and also works in pre-boot settings.

How to check YubiKey firmware version? ›

The quickest and most convenient way to determine your device's firmware version is to use either the Yubico Authenticator or the YubiKey Manager tool (ykman), a lightweight software package installable on many OS. The YubiKey Manager has both a graphical user interface (GUI) and a command line interface (CLI).

Can YubiKey firmware be updated? ›

Existing YubiKey hardware cannot be updated with the new 5.7 firmware for security reasons, so users will need to purchase new keys (which currently start from $25 for the Security Key NFC) to benefit from the upgraded protections.

What is the FIDO2 protocol on the YubiKey? ›

The FIDO2 standard offers the same high level of security as FIDO U2F, since it is based on public key cryptography. In addition to providing phishing-resistant two-factor authentication, the FIDO2 application on the YubiKey allows for the storage of resident credentials, also called discoverable credentials.

What is the life expectancy of a YubiKey? ›

A Yubikey will essentially last forever, and if you stay clear of the insanity that is Passkeys its Webauthn element can support an infinite number of websites. Portability: I have a smartphone, a work laptop, a home laptop, and a home desktop. My Yubikey has USB and NFC, so it can trivially be used with all of them.

What is the secret key for YubiKey? ›

A Yubico OTP (one-time password) is a unique 44-character string that is generated by the YubiKey when it is touched (while plugged into a host device over USB or Lightning) or scanned by an NFC reader.

Is YubiKey firmware open source? ›

Most of the code that runs on a YubiKey is closed source.

How do I check my firmware status? ›

How to Find Your Firmware Revision for Windows ®
  1. Click on the Start menu.
  2. Open Control panel> System> Hardware.
  3. Select Device Manager.
  4. Expand Disk drives.
  5. Right-click on the drive and select Properties.
  6. Select the Details tab and select Hardware lds from the drop down menu.

How do you test if YubiKey is working? ›

This application allows you to test and verify that you have a genuine YubiKey, and that it is functioning as designed. Insert your security key, click verify device and follow the instructions.

Should you leave your YubiKey plugged in all the time? ›

Do I need to keep my yubikey plugged in all the time? A. No, you only need to insert your yubikey when you are prompted to do so during login. Leaving it plugged in could result in the yubikey being lost or damaged.

Which YubiKey is most secure? ›

The YubiKey 5 FIPS certified security keys meet the highest level of assurance (AAL3) of the new NIST SP800-63B guidelines.

How many times can a YubiKey be used? ›

OATH-TOTP - the YubiKey 5's OATH application can hold up to 32 OATH-TOTP credentials (AKA authenticator codes). OTP - this application can hold two credentials, can be registered with an unlimited number of services.

Can FIDO2 be hacked? ›

Hardware Authentication Keys

FIDO 2 is a passwordless standard that is easy to use, and very secure. It uses public key cryptography, which makes it virtually impossible for a hacker to find a way to access your account.

What is the difference between YubiKey and FIDO2? ›

Yubikey is a physical authentication device that plugs into a computer or mobile device and uses one-time passwords for authentication. U2F (Universal 2nd Factor) is an open authentication standard developed by the FIDO Alliance, which allows users to securely log into websites and apps with a single tap or click.

What is the default PIN for YubiKey FIDO2? ›

A YubiKey can have up to three PINs - one for its FIDO2 function, one for PIV (smart card), and one for OpenPGP. The PIV and OpenPGP PINs are set to 123456 by default, but there is no FIDO2 PIN set from the factory.

How does YubiKey actually work? ›

The YubiKey is a device that makes two-factor authentication (2FA) as simple as possible. Many apps, online services, and computers enforce 2FA every time a user wants to connect. Instead of a code being texted to you or generated by an authenticator app, you press a button on your YubiKey, and you're logged in.

What is the working principle of YubiKey? ›

The YubiKey supports one-time passcodes (OTP)

The YubiKey communicates via the HID keyboard interface, sending output as a series of keystrokes. This means OTP protocols can work across all OSs and environments that support USB keyboards, as well as with any app that can accept keyboard input.

How does a YubiKey show up in Device Manager? ›

Connect your YubiKey to your computer. Open up Device Manager. Locate the YubiKey smart card entry - it will be labeled Identity Device (NIST SP 800-73 [PIV]).

What is the difference between YubiKey and Security Key? ›

The Security Key Series differs from a YubiKey 5 Series in that it comes only with the FIDO (FIDO2/FIDO U2F) protocol and the non-Enterprise Edition does not have a serial number. It is only available in USB-A + NFC and USB-C + NFC form factors.

Top Articles
Latest Posts
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 6128

Rating: 4.6 / 5 (66 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.