Yubikey FIPS Support
IdExchange supports the issuance and management of the Yuibkey FIPS device for organizations that require NIST SP800-63B authenticator assurance level 3 (AAL3) hardware devices.
- Derivation and insertion of new secure management keys and PUK values
- Generation and loading of certificates
- Device verification and chain of custody
- Certificate renewal
- PIN change
Yubikey FIPS Device https://www.yubico.com/product/yubikey-fips/
Yubikey FIPS Device Registration
In the demonstration below, a PIV credential holder will register their Yubikey FIPS device in accordance with the NIST 800-157 derived credential requirements. They will first authenticate with their PIV credential, secure their Yubikey device and then register the Yubikey device for approval.
Yubikey FIPS certificate collection
In the demonstration below, the PIV credential holder will load their Yubikey FIPS device with the certificate. This process occurs after the user’s supervisor has approved the user to use their Yubikey. After the certificate is loaded into the Yubikey, the user can begin using their Yubikey as a AAL MFA credential.
The following list provides the steps to troubleshoot common problems with the Yubikey.
Error: The Yubikey device cannot be contacted
Cause: The client software has not properly installed, not running or not configured.
Fix: Verify the IdExchange client software has been started and is also configured with the proper domain. If this works, use the Yubikey manager to verify that the Device has been properly initialized.
Error: The Yubikey device cannot generate the key pair or will not generate the CSR.
Cause: A certificate already is in the slot or the management key is incorrect.
Fix: Verify that a certificate does not already exist for in the Yubikey slot. IF yes, either renew or delete it. Also, ensure the management key has been properly set for the device.
Error: The Yubikey device will not be recognized by the operating system
Cause: The Yubikey driver software has not been properly installed.
Fix: Verify that the Yubikey minidriver has been installed. Also, use the Yubikey manager to verify that the device can be recognized.
Frequently Asked Questions
Q: How will the credentials be encoded onto the Yubikey?
A: The IdExchange system will instruct the Yubikey token to generate the key pairs within its FIPS 140-2 hardware chip. Next, IdExchange will send the public key to be signed by the certificate authority. Finally, IdExchange will load the certificate onto the Yubikey token to complete the credential generation process.
Q: How can I view certificates from my Yubikey?
A: The certificates be viewed using the Yubikey utilities or by using the Microsoft Certificate Snap-In.
Q: Can I export my credentials to PFX?
A: No, IdExchange will set the certificate to non-exportable. The reason this occurs is so that the key pairs only ever remain on the Yubikey token.
Q Do I need existing credentials to activate my Yubikey?
A: Yes, you must first be verified before the credentialing process takes place. Once initial verification is complete, you are granted a temporary credential that will allow you to log in and encode the Yubikey. Once the Yubikey is encoded, the Yubikey will serve as the credential.
Q: Can Yubikey replace my PIV card?
A: In PIV and PIV-I settings, Yubikey can be issued as a derived credential to compliment the PIV credential. In PIV-C, the Yubikey can serve as main PIV credential to give organizations the option of using Yubikey instead of PIV card.
Q: Do I need to install Yubikey drivers on all of the machines I use the key with?
A: Since Yubikey is based on the PIV standard, once a Yubikey is encoded with a certificate, there are no additional drivers or software to install.
Q: What if I lose my Yubikey?
A: When your Yubikey is lost, you can contact the help desk to report the lost device. When this happens, the certificates on the Yubikey are revoked so the Yubikey can no longer be used for authentication. Next, the help desk will send you a new Yubikey to be encoded.
Q: How do I set my PIN/ Change?
A: The IdExchange application will allow you to change your Yubikey PIN. Additionally, the Windows tools can permit a PIN Change.