YubiKey 5 CCN (ENS High): What It Means for the Public Sector in Spain
Introduction
In the Spanish public sector, authentication is no longer just a technical decision: it's a compliance requirement. The rise in phishing attacks, credential theft, and unauthorized access has driven the adoption of strong authentication and spoofing-resistant mechanisms.
In this context, the YubiKey 5 CCN with ENS Alta certification stands out as a hardware key evaluated and referenced by the National Cryptologic Center (CCN) , which facilitates its adoption in public bodies, critical infrastructures and providers that work with the Administration.
What is the YubiKey 5 CCN?
The YubiKey 5 CCN is a hardware security key designed for multi-factor authentication (MFA) and strong authentication. In practical terms, it acts as a second, cryptographically based factor that the user must physically possess to complete access.
The main difference compared to a non-certified key is not only the hardware: it is the evaluation and qualification within the CCN processes for its use in environments regulated by ENS.
Hardware-based strong authentication: why it matters
A hardware key uses public-key cryptography: the private key remains protected within the device and is never exposed. This drastically reduces the risk of credential theft and man-in-the-middle attacks.
Furthermore, in scenarios compatible with modern standards such as FIDO/WebAuthn, the key validates the service context—for example, the domain—before responding, which mitigates phishing attacks even when the attacker knows the password.
What does "CCN" mean and why is it relevant?
In Spain, the CCN (National Cryptologic Center) is the reference body for criteria, guidelines, and validation of security products in the public sector. A solution with CCN assessment is better aligned with the frameworks required in tenders, audits, and compliance reviews.
CCN certification and inclusion in the CPSTIC catalog
The CPSTIC (Catalog of STIC Products and Services) is the CCN's inventory of products and services evaluated for use in the public sector. An update to the CPSTIC was published in February 2026, listing the YubiKey 5 CCN Series as an added product.
For those responsible for security and public procurement, this provides a practical advantage: the solution is officially referenced , facilitating technical justification in files and audits.
Lynx Assessment
The LINCE methodology is an assessment and certification framework developed by the CCN for ICT security products. The YubiKey 5 CCN has obtained a "High" rating in the CPSTIC after evaluation under this methodology.
ENS Alto: what it means in practice
The National Security Framework (ENS) defines measures and controls to protect information and services in the public sector. In high-level systems, the bar is raised in controls such as authentication, access management, and the use of cryptographic components.
In particular, the CCN guidelines for the implementation of the ENS contemplate the use of hardware cryptographic elements in High level contexts.
Impact on the public sector in Spain
- Administrations and organizations: improves access control to email, VPN, internal applications and critical services, with a second factor that is difficult to spoof.
- Public universities: strengthen access to platforms with research data, repositories and academic systems, reducing the risk of account hijacking.
- State Suppliers: provides differentiation in tenders where ENS and strong authentication are required; reduces friction in compliance audits.
Relationship with NIS2
Directive (EU) 2022/2555 ( NIS2 ) strengthens risk management requirements and security measures for covered entities, raising expectations on access controls and incident protection.
Having strong hardware-based authentication helps demonstrate maturity in access controls, especially when protecting access to critical services, management consoles, and privileged accounts.
Specific technical advantages in public environments
- Phishing resistance in flows compatible with modern authentication standards.
- Reduction of the risk of credential compromise due to leaks, password reuse, or malware aimed at code theft.
- Better fit in audits as it is referenced in CPSTIC and evaluated according to CCN methodologies.
Considerations for IT managers
Before deploying certified hardware keys, it is advisable to define:
- Scope: which groups (administrators, remote access, users with sensitive data) require a mandatory key.
- Backup policy: second key per user or formal recovery procedures.
- Lifecycle management: registration, custody, replacement, revocation and secure disposal.
- Integration: compatibility with corporate IdP, VPN, email, workstations, and privileged access.
Certified security key vs traditional 2FA
In the public sector, the differentiating factor is usually resistance to phishing and traceability in regulatory compliance:
| Method | Phishing resistant | Mobile phone dependency | Adaptation to regulated environments |
|---|---|---|---|
| YubiKey 5 CCN (hardware) | ✅ High | ❌ No | ✅ High (CPSTIC / CCN) |
| Authenticator app (TOTP) | ❌ Limited | ✅ Yes | ⚠️ Media |
| SMS | ❌ Low | ✅ Yes | ⚠️ Low |
| Email / links | ❌ Low | ✅ Yes | ⚠️ Low |
Frequently Asked Questions
What are the benefits of inclusion in CPSTIC compared to a "normal" key?
It provides an official CCN reference for use in the public sector and makes it easier to justify the selection of the product in audits and procurement files.
Does "ENS Alto" mean that I automatically meet ENS requirements?
No. ENS applies to the system and its set of organizational and technical measures. The key facilitates compliance in authentication and access control, but does not replace the other controls and processes.
Why is there so much emphasis on phishing?
Because it remains one of the most frequent vectors for compromising accounts. A hardware key significantly reduces its effectiveness in flows compatible with modern authentication.
What should I plan for so I don't get stuck if I lose a key?
Register a second key and define a recovery procedure: emergency codes, corporate custody, replacement issuance, and controlled revocation.
Where to purchase equivalent hardware
The YubiKey 5 CCN is distributed through institutional channels and is not available in retail stores. For individual use, small teams, or pilot testing, the YubiKey 5 NFC and the YubiKey 5C NFC are the same hardware and are available on Amazon.
USB-A + NFC
YubiKey 5 NFC
Same hardware as the CCN series. Compatible with FIDO2, WebAuthn, OTP, and OpenPGP. No battery, no drivers.
USB-C + NFC
YubiKey 5C NFC
Same functions, USB-C connector. Compatible with modern laptops and Android smartphones without an adapter.
Conclusion
The YubiKey 5 CCN with ENS Alto certification is relevant for the Spanish public sector because it combines strong hardware-based authentication with official recognition within the CCN framework, including its presence in the CPSTIC. This reduces friction in public procurement, audits, and deployments in demanding environments.
It does not replace the ENS or its organizational controls, but it is a highly effective component for raising the level of security in access control against phishing and credential compromise.
- 1. Check if your system is rated as ENS High — if so, the hardware key is the right way to go.
- 2 Consult the CPSTIC to justify the selection in purchasing files.
- 3 Plan the backup policy before deployment: second key and recovery procedure.
- 4 Start with the highest risk groups: administrators, remote access, and users with sensitive data.
