Understanding FIPS 140-3: Looking Beyond the Certification Badge

DT Asia congratulates our technology partner, Yubico, on the FIPS 140-3 validation of the YubiKey 5 FIPS Series and YubiHSM 2 FIPS. This achievement reflects Yubico’s continued commitment to delivering trusted authentication solutions that meet stringent security requirements.

As FIPS 140-3 becomes an increasingly important requirement for organizations in regulated industries, this milestone is also a good opportunity to revisit two commonly overlooked aspects when evaluating FIPS authentication solutions.

1. What Is Actually Validated?

When a product is advertised as FIPS certified, it is important to understand exactly what has been validated.

The scope of FIPS validation can vary between vendors. Some authentication token manufacturers certify only the secure element, allowing authentication applications and firmware to be updated independently without affecting the core certification.

For the YubiKey 5 FIPS Series, Yubico takes a broader approach. Its FIPS 140-3 validation covers the complete cryptographic module, including:

  • FIDO
  • PIV-compatible Smart Card
  • OpenPGP
  • OATH
  • YubiHSM Auth

Understanding the certification scope helps organizations determine which security functions are actually covered by the validation, rather than assuming all components are included.

2. What Does the FIPS Level Actually Mean?

Another point that is often misunderstood is the meaning of the FIPS security level.

FIPS 140-3 evaluates several security domains, including physical security, authentication mechanisms, lifecycle assurance, and other security requirements. Each domain is assessed individually.

The overall validation level is determined by the lowest score achieved across these evaluated domains.

As a result, two products that are both advertised as FIPS Level 3 may still have different security profiles depending on how they perform in each individual category.

For organizations evaluating authentication solutions, looking beyond the overall level provides a clearer understanding of the product’s security capabilities.

Looking Beyond “FIPS Certified”

As FIPS 140-3 continues to become a baseline requirement, organizations should ask more than simply whether a product is FIPS certified.

Instead, consider asking:

  • What exactly is covered by the validation?
  • What does the certification level actually tell you about the product?

These questions can help organizations make more informed decisions when selecting authentication solutions that align with their security and compliance requirements.

If you would like to learn more about FIPS-validated authentication solutions or discuss your security requirements, feel free to contact DT Asia at business@dtasiagroup.com.

Shopping Cart
Scroll to Top