This page maps Vouch features to common compliance frameworks. Vouch’s hardware-backed authentication model satisfies many of the strictest access control requirements across multiple regulatory standards.
YubiKey PIN verified on-device; never transmitted to server
IA-5(2)
Public Key-Based Authentication
Ed25519 SSH certificates issued by built-in CA; DPoP-bound OAuth tokens
IA-5(6)
Protection of Authenticators
Private keys are hardware-bound and non-extractable on YubiKey
AU-2
Event Logging
All credential issuance and authentication events logged
AU-3
Content of Audit Records
Audit records include user identity, timestamp, credential type, authenticator AAGUID, and IP address
AU-8
Time Stamps
Certificate validity tied to server time; supports GPS/NTP in air-gapped environments
AU-9
Protection of Audit Information
Audit logs stored in database with configurable retention periods
AC-2
Account Management
User enrollment via verified identity (OIDC); key registration via CLI (vouch register); revocation via CLI (vouch keys remove) or admin API
AC-7
Unsuccessful Logon Attempts
FIDO2 PIN retry limits enforced by YubiKey hardware (locks after 8 attempts)
AC-11
Device Lock
Sessions expire after configurable duration (default 8 hours); re-authentication required
AC-12
Session Termination
Explicit logout (vouch logout) and automatic session expiration
SC-12
Cryptographic Key Establishment and Management
Ed25519 SSH CA key; ES256 OIDC signing key; support for HSM and split-custody key storage
SC-13
Cryptographic Protection
FIDO2/CTAP2 with hardware-backed cryptography; TLS for transport; JWT signing for tokens; FIPS 140-3 cryptography (validated aws-lc-rs FIPS module embedded in server binaries on Linux; OS FIPS mode enabled in the attestable AMI — the kernel 6.18 modularized crypto module’s CMVP validation is in process, expected 2027)
Public key authentication via Ed25519 SSH certificates and DPoP-bound tokens
Identification and Authentication (IA)
IA-5(6)
Hardware-bound, non-extractable private keys on YubiKey
Access Control (AC)
AC-2
Centralized user enrollment and key management through Vouch server
Access Control (AC)
AC-7
YubiKey enforces PIN lockout after consecutive failures
Access Control (AC)
AC-12
Sessions auto-expire; explicit logout available
Audit and Accountability (AU)
AU-2, AU-3
All authentication and credential issuance events logged with identity, timestamp, and method
Audit and Accountability (AU)
AU-8
Time-bound certificates; NTP/GPS time sync supported for air-gapped deployments
System and Communications Protection (SC)
SC-12, SC-13
Hardware-backed cryptography; Ed25519 CA; ES256 OIDC signing; TLS transport encryption; FIPS 140-3: validated aws-lc-rs FIPS module in server binaries; OS crypto-policy FIPS + kernel fips=1 in the attestable AMI (kernel crypto module validation in process)
System and Communications Protection (SC)
SC-23
FAPI 2.0 with DPoP sender-constrained tokens; private_key_jwt client authentication
Configuration Management (CM)
CM-2
Server configured via environment variables with S3 centralized config support
Contingency Planning (CP)
CP-9
Database backup/restore procedures; CA key recovery with split custody