The U2F Garden

Yubikey 5 FIPS Series

The Yubikey 5 family in a FIPS validated configuration. For United States federal agencies and regulated industries.

Vendor Website Purchase from Yubico

Yubikey 5 FIPS Series

FIDO2 Certification

Certified by the FIDO Alliance as conforming to FIDO2 standards

More Info

FIDO L2 Certification

Certified by the FIDO Alliance to meet L2 Security Standards

More Info

FIPS 140-2 Validated

Validated against FIPS 140-2 by NIST. Required for many United States federal use cases

More Info

HOTP passwords

Supports Hashed One-Time-Password generation

More Info

Management Application

Vendor provides applications that extend or configure the device

Android management application

Management application runs on Android smartphones with appropriate hardware (NFC, BLE, etc)

MacOS management application

Management application runs on MacOS

Windows management application

Management application runs on Windows

Resident Cryptographic Keys

Supports WebAuthn discoverable resident credentials, the building block of passkeys

More Info

Resident ECDSA keys

Supports ECDSA discoverable keys

Resident ED25519 keys

Supports ED25519 discoverable keys

PKCS#11 SmartCard

Conforms to PKCS11 SmartCard interface standards

More Info

Stored passwords

Supports stored, static passwords, usually configured with a vendor-specific application

Timed OTP passwords

Supports Time-based One-Time-Password generation

More Info

U2F Authentication

Conforms to the U2F Authenticator and WebAuthn standard

More Info

YubiOTP

Enables use of Yubico YubiOTP one-time-passwords

More Info

The Yubikey 5 FIPS Series is the same hardware as the standard Yubikey 5 family, configured and validated for FIPS 140-2. It is sold as 5 NFC FIPS, 5C NFC FIPS, 5C FIPS, 5 Nano FIPS, 5C Nano FIPS, and 5Ci FIPS, matching the standard lineup variant for variant.

The FIPS validation under 140-2 carries through May 2026. Yubico has submitted the series for FIPS 140-3 Level 2 validation with Physical Level 3, expected to clear in the second quarter of 2026.

When you actually need this

You need FIPS validation if you are a United States federal agency, a contractor working with one, a healthcare organisation under specific HIPAA configurations, or a financial services firm operating under one of the regulators that has adopted FIPS as a requirement. Most other users do not benefit from the FIPS series and should buy the standard line.

The FIPS series currently runs on firmware 5.4, which means a noticeably smaller discoverable credential capacity than the 5.7 firmware on the standard line. The 5 FIPS series stores around 25 passkeys per key, where the current 5 series stores around 100. If you are operating in a passkey heavy environment, this matters.

EUCLEAK

The 5 FIPS series is in scope for EUCLEAK. Firmware 5.7 contains the fix. See the Yubikey 5 entry for the wider context. Yubico has guidance for FIPS customers about replacement for the affected production runs.