Docs

Guides

Blog

Tools

PIN+ Firmware - Feature Support Matrix: OpenPGP, FIDO2, OTP, and PIV Across Releases

About PIN+ Security Keys
The Token2 FIDO2 PIN+ series enforces strong PIN complexity at the firmware level, going beyond standard FIDO2 requirements. It blocks weak numeric PINs (like 123456 or 111111) and requires alphanumeric PINs to be at least 10 characters long, combining letters, numbers, and symbols. This makes it one of the most secure FIDO2 keys available, reducing the risk of unauthorized access even if the device is lost or stolen. The FIDO2 applet of the PIN+ firmware is open-source and publicly audited.


This table outlines the supported features and capabilities for OpenPGP, FIDO2, OTP, and PIV across different firmware releases. It provides a detailed comparison of cryptographic algorithms, passkey support, OTP functionality, and compatibility options (such as USB management on iOS). Use this matrix to identify the features available in each release and plan upgrades or deployments accordingly.


Release OpenPGP FIDO2 OTP PIV
Release 1 and earlier Not supported Supports up to 50 passkeys TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records Not supported
Release 2 Not supported Supports up to 300 passkeys TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records Not supported
Release 3 RSA2048; ECC: secp256r1, secp256k1, secp384r1, secp521r1
User Interaction Flags (UIF): not supported
Curve25519: not supported 		Supports up to 300 passkeys
FIDO2 management via USB on iOS 		TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records Not supported
Release 3.1 RSA2048, RSA3072, RSA4096, secp256r1, secp256k1, secp384r1, secp521r1, ed25519, x25519
User Interaction Flags (UIF) 		Supports up to 300 passkeys
FIDO2 management via USB on iOS 		TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records Not supported
Release 3.2 RSA2048, RSA3072, RSA4096, secp256r1, secp256k1, secp384r1, secp521r1, ed25519, x25519
User Interaction Flags (UIF)
KDF 		Supports up to 300 passkeys
FIDO2 management via USB on iOS 		TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records
HID-HOTP disabled by default 		Not supported
Release 3.3
(Under Development)		 RSA2048, RSA3072, RSA4096, secp256r1, secp256k1, secp384r1, secp521r1, ed25519, x25519
User Interaction Flags (UIF)
KDF 		Supports up to 300 passkeys
FIDO2 management via USB on iOS
User Verification (always_uv) enabled by default
NFC timeouts aligned with FIDO specs 		TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records
HID-HOTP disabled by default 		PIV: NIST SP 800-73-4 compliant with RSA2048/3072/4096 support

PIN+ Serial Number Prefix Reference
This table provides an overview of the serial number prefixes assigned to different versions and form factors of the Token2 PIN+ devices. Each prefix identifies the product generation (Initial, R2, R3, R3.1, R3.2, R3.3) as well as the form factor (USB-A, USB-C, Dual, Bio, Mini, or Card) and, where applicable, branding (Token2, unbranded, or custom-branded editions). The prefixes are followed by a checking digit and a random sequence, ensuring uniqueness while allowing easy identification of the device type and revision.

Revision Model Branding Prefix
Initial (R1)USB-A (FD4)Token2 logo86105
Initial (R1)USB-C (FD7)Token2 logo86104
Initial (R1)Dual (FD8)Token2 logo86103
Initial (R1)Card (Token2 logo)Token2 logo86202
R2USB-A (FD4)Token2 logo96105
R2USB-C (FD7)Token2 logo96104
R2Dual (FD8)Token2 logo96103
R2Dual (FD8) No logo23103
R3Dual (FD8)Token2 logo76103
R3Card (Token2 logo)Token2 logo76202
R3Card (unbranded, no chip)No logo86106
R3Card (unbranded, with chip)No logo76106
R3.1USB-A (FD4)Token2 logo76105
R3.1USB-A (FD4)Unbranded26105
R3.1Mini USB-C key—72102
R3.1Custom system access cardSpecial branded (contact7816+NFC)70000001–70002000
R3.2Dual (FD8)Token2 logo77103
R3.2Slim Dual (FD8)Unbranded24103
R3.2Mini USB-A key—72101
R3.2Bio3 Dual A+C (ZK5)Branded72103
R3.2Bio3 Dual A+C (ZK5)Unbranded22103
R3.3 (PIV)USB-A (FD4)Branded66105
R3.3 (PIV)USB-C (FD7)Branded66104
R3.3 (PIV)Dual (FD8)Branded66103
R3.3 (PIV)USB-A (FD4)Unbranded66107
R3.3 (PIV)USB-C (FD7)Unbranded66106
R3.3 (PIV)Dual (FD8)Unbranded (Octo)66113
R3.3 (PIV)FIDO CardBranded (Token2 logo)66202
R3.3 (PIV)FIDO CardUnbranded (white)66102
R3.3 (PIV)Mini USB-A PIV—66101
R3.3 (PIV)Mini USB-C PIV—66111
R3.3 (PIV)Dual Bio3Branded72113
R3.3 (PIV)Dual Bio3Unbranded24133

VID/PID Reference for PIN+ Devices

This table lists the USB Vendor ID (VID) and Product IDs (PIDs) used by different generations and variants of the Token2 PIN+ devices. The VID 0x349E is assigned to Token2 SĂ rl. Each PID corresponds to a specific operating mode or function (FIDO, OTP, PGP, or combinations).

VID Version / Device Function PID
0x349EPIN+ R1 / PIN+ R2FIDO Channel0x0020
PIN+ R1 / PIN+ R2OTP 0x0021
PIN+ R1 / PIN+ R2FIDO + OTP Channel0x0022
0x349EPIN+ R3 / R3.1 / R3.2 / R3.3FIDO0x0020
PIN+ R3 / R3.1 / R3.2 / R3.3OTP0x0021
PIN+ R3 / R3.1 / R3.2 / R3.3FIDO + OTP0x0022
PIN+ R3 / R3.1 / R3.2 / R3.3OTP + PGP0x0023
PIN+ R3 / R3.1 / R3.2 / R3.3FIDO + PGP0x0024
PIN+ R3 / R3.1 / R3.2 / R3.3PGP0x0025
PIN+ R3 / R3.1 / R3.2 / R3.3OTP + PGP + FIDO (default)0x0026
0x349EMini USB A/C R3FIDO0x0010
Mini USB A/C R3OTP0x0011
Mini USB A/C R3FIDO + OTP0x0012
Mini USB A/C R3OTP + PGP0x0013
Mini USB A/C R3FIDO + PGP0x0014
Mini USB A/C R3PGP0x0015
Mini USB A/C R3OTP + PGP + FIDO (default)0x0016
0x349EBio3 Dual A+C Key R3.2 FIDO0x0200
Bio3 Dual A+C Key R3.2OTP0x0201
Bio3 Dual A+C Key R3.2FIDO + OTP0x0202
Bio3 Dual A+C Key R3.2OTP + PGP0x0203
Bio3 Dual A+C Key R3.2FIDO + PGP0x0204
Bio3 Dual A+C Key R3.2PGP0x0205
Bio3 Dual A+C Key R3.2OTP + PGP + FIDO (default)0x0206