
Congrats to our partner, Yubico, on the YubiKey 5 FIPS Series & YubiHSM 2 FIPS achieving FIPS 140-3 validation!
This milestone is a good moment to revisit 2 often-missed points when evaluating FIPS authentication:
1️⃣ What’s actually validated?
Scope varies. Some token vendor focus on certifying the secure element only while allowing auth apps and firmware flexibility to be updated without affecting the core certification.
For YubiKey 5 FIPS Series, Yubico’s FIPS 140-3 validation covers the full cryptographic module — including FIDO, PIV-compatible Smart Card, OpenPGP, OATH, and YubiHSM Auth.
2️⃣ What does the level mean?
FIPS 140-3 rates domains like physical security, auth, lifecycle assurance separately. The overall level = lowest individual score. So two “Level 3” products can have very different security profiles.
As FIPS 140-3 becomes a baseline requirement, the question isn’t just “Is it FIPS certified?” but:
✔️ What exactly is covered?
✔️ What does the level actually tell you?
What else do you look for in FIPS-certified auth?
If you’d like to learn more or discuss further, feel free to reach out to us at business@dtasiagroup.com.









