TOKEN2 Companion app

About the app

TOKEN2 Companion app is a tool to leverage the use of TOKEN2 FIDO2 security keys (second-generation only: T2F2-ALU , T2F2-AZ, T2F2-NFC and T2F2-BIO ) beyond classic U2F and standard FIDO2/WebAuthn functionality. The app enables you to set and use TOTP profiles on a computer or on an Android device (NFC or USB/OTG) as well as iOS (with NFC only). For T2F2-Bio models, the app helps to manage fingerprint enrollment as well.

Our FIDO2 keys can be managed under Linux or macOS as well, but using security key management interface built-in to Chromium based browsers, such as Google Chrome

    manage FIDO2 keys under Linux or macOS


Download and launch the app. It is a zip file with an exe inside to launch – no installation needed, just make sure the files inside the zip file are extracted into the same directory. 

download Companion for Windows

This page describes the Windows version of our Companion app (Android and iOS versions also exist and can be used based on the same principles)

Companion for iPhone (NFC version only) Companion for Android

Setting HOTP seeds

T2F2-ALU and T2F2-NFC keys allow setting HOTP secret using the companion app. The key has 2 types of HOTP profiles: 1) HID HOTP and 2) regular HOTP. The secret stored in the HID HOTP is used to generate and send the OTP via HID keyboard emulation when the key button is pressed. There is no need to use the companion app to use the HID HOTP profile, but there may only be one HID HOTP profile. The HID HOTP can be set only using the Windows app. The regular HOTP profiles do not have these limitations, but they can be used only together with the companion app (i.e. via system clipboard).

To set the HID HOTP seed, launch the companion app, plug the key in and navigate to HOTP menu item on the right.

TOKEN2 Companion app

On the next window, enter or generate the seed and click on Write. Note that you can configure additional options, such as the number of digits in the OTP (6 or 8) and the "Auto Enter" feature, which will send Enter keystroke after the digits when sending via HID.   

TOTP Profiles

The security keys are not standalone TOTP tokens:  TOTP functionality of our FIDO2 keys is limited and requires an additional device to run the companion app. The key in this case is only used as secure storage for the TOTP seeds. If you need a fully standalone TOTP token, it is recommended to use our programmable tokens instead.

As the FIDO2 security keys do not have a system clock nor a display, they cannot be used as standalone TOTP tokens. However, you can save TOTP profiles on your T2F2-ALU and T2F2-NFC security keys and retrieve the generated OTPs via the companion app. This will allow using the same device for your FIDO2 and TOTP protected accounts (i.e. use the same key for Azure Passwordless and Azure MFA login). 

Adding a TOTP profile

To add a new TOTP profile, navigate to the TOTP section, and click on "+ (Add account)"

TOKEN2 Companion app

On the following window, fill the Issuer, Account, and the Security key fields. The security key field (or seed, or secret) is expected to be in base32 format.

TOKEN2 Companion app

You can extract the base32 secrets from an image containing a QR code. You can scan the QR shown on the screen with the 'QR on screen' button (the app will minimize itself, take a screenshot and then look for a QR code containing the TOTP seed) or decode from an image file using 'QR from file'. Only one QR code should be present at a time on the screen or in the image file being loaded.

Important! Make sure you correctly fill the Issuer and Account fields, they will not be filled automatically even if QR code is used to fill the secret. The reason is that these fields will be used to differentiate and search the TOTP profiles, especially if you have more than 10 enrolled. Default values of Issuer and Account field are pre-populated from token2.ini file

Additional features
When adding TOTP profiles, you can benefit from the additional features implemented on the same dialog window:
- 'Random' : generates a random base32 secret
- 'Require button' - if enabled, the OTP will be shown only if the physical button on the USB key is pressed.
- 'Append to CSV file' - if checked, the seeds added to the security key will be recorded in the csv file (by default seeds.csv , can be modified in token2.ini file) 

If non-default TOTP settings are needed, you can configure by clicking on Additional settings link

TOKEN2 Companion app

You can choose the OTP period to be 30 or 60 seconds, the hash algorithm to be sha1 or sha256 and the number of OTP digits to be 6 or 8.

Accessing the TOTP profiles

The OTP values generated by the security key can be accessed using the companion app. Bu double-clicking on the profile box you can copy the OTP to clipboard. If the profile is configured to require the physical button to be pressed, double-clicking on profile will make the physical buttons LED blink; after you press the button the OTP will be displayed on the app.

TOKEN2 Companion app

Additional settings

The companion app also allows resetting your FIDO2 key and setting a PIN code. 

TOKEN2 Companion app

Please note that the same operations can be done using the standard Windows control panel with Windows 10 1903 and higher. 

TOKEN2 Companion app

Large Volume Orders
For large orders, Token2 offers volume discounts.If you are interested in larger volume orders, please contact us and we will get back with a quote immediately