TOKEN2 T2F2 Companion app for Windows v0.2.3TOKEN2 Companion app is a tool to leverage the use of TOKEN2 FIDO2 security keys (only the models with TOTP support) beyond classic U2F and standard FIDO2/WebAuthn functionality. For T2F2-Bio models, the app helps to manage fingerprint enrollment as well.
This page describes the version 0.2.3 of the Windows application.
Good to KnowKindly note that if you need to use only the TOTP functionality of these keys, there is a simpler and lighter app available called TOTP Viewer, which is a simple GUI wrapper for the CLI tool.
You can find more information here.
Make sure the key is plugged in before launching the app. Please note that only one key can be used, the app is currently not able to prompt to select the key, so it will randomly select one if multiple keys are present on your system.
If the app is launched without a compatible Token2 Security key plugged in, it will show the message below:
If a supported key is detected, the app will show its model, firmware version and the serial number on the first page:
In the next sections, we will review the functionality of each window of the application in the order they appear in the Manage menu.
This window allows setting and changing PIN codes of the FIDO2 security key. In addition, you can also reset the key to factory settings using “Reset” button.
Please note that resetting the key will remove all FIDO2 user registration, TOTP profiles and HOTP seeds. These features are also available from the standard Windows Hello Control panel (for Windows builds 1909 and higher).
This window allows setting the HOTP seed in the main seed slot of the device. The main seed slot of our security keys can contain only one seed, and the OTP is generated and sent via HID/Keyboard emulation when the button is activated. The push button is replaced by a capacitive sensor on some models. For BIO models, long-press on the fingerprint reader replaces this operation (please note that HOTP generation functionality is not verifying the fingerprint, it acts as a physical button in HOTP mode).
Enter the seed in base32 format in the Secret Key field and click Save. You can generate a randomized secret key by clicking “random” button.
Note: if you activate “send Enter” parameter, there will be an Enter keystroke sent in addition to OTP digits – this may help to minimize user interaction (usually hitting Enter submits the authentication form).
As the FIDO2 security keys do not have a system clock nor a display, they cannot be used as standalone TOTP tokens. However, you can save TOTP profiles on your Token2 security keys and retrieve the generated OTPs via the companion app. This will allow using the same device for your FIDO2 and TOTP protected accounts (i.e. use the same key for Azure Passwordless and Azure MFA login). You can add up to 50 OTP profiles per key.
Please note that the security keys are not standalone TOTP tokens: TOTP functionality of our FIDO2 keys is limited and requires an additional device to run the companion app. The key in this case is only used as secure storage for the TOTP seeds. If you need a fully standalone TOTP token, it is recommended to use our programmable tokens instead.
To add a TOTP profile, go to Manage → TOTP and click on Add icon (plus sign).
On the “Add account” dialog, enter the Secret key, Account Name and optionally Issuer name. The Issuer and Account name will help to distinguish between different TOTP profiles; they will also be used when searching.
You can also use “Read from QR” functionality to fill these fields from a TOTP QR Image; the window will automatically minimize, search for a compatible QR code on the screen and fill the form as shown in the example below.
Please note that by default, the profiles are created as 6 digits, 30 seconds and sha-1. If different settings are required (i.e. if you need SHA256 instead of SHA1) , click the “advanced…” button when adding the account.
The companion app allows enrolling fingerprints for T2F2-Bio models (the menu item will be grayed out for other models). Click on “continue” to enroll a fingerprint, the key should have a PIN code setup, a warning will be shown in such case. The PIN has to be set in the “FIDO2 Settings” window.
If the PIN is set on the security key, you will be prompted to enter it.
After the verification, click on Add to enroll the first fingerprint. The app will ask to touch the fingerprint sensor area a few times under slightly different angles to complete the enrollments.
Successfully enrolled fingerprints will appear in the list as shown on the example below. You can add up to 29 fingerprints if needed and delete using the “x” button next to the fingerprint record in the list.
FIDO2 fingerprint management is also available from the standard Windows Hello Control panel (for Windows builds 1909 and higher).
This window allows controlling which features you want to have active on your security key. There are only 2 feature groups that you can enable or disable:
- FIDO2 Features (disabling this will disable all FIDO related functionality, such as WebAuthN, CTAP and U2F)
- HOTP and TOTP Features
Please note that if you disable HOTP and TOTP Features, the companion app will need to be re-launched in Administrator mode.
Token2 T2F2 Companion is distributed in a zip archive containing the main executable file as well as additional dll files. Please note the for the main functionality, only the exe file is required. The additional dll files are needed for QR reading/decoding functionality, so if you need to deploy the app without QR functionality, the exe file is enough.
Advanced configuration for NFC keys
In addition to the main executable ("FIDO2 Companion.exe"), the package includes an additional tool, named "Token2_AdvancedConfig.exe", which allows controlling 2 additional settings of Token2 FIDO2 NFC Security keys:
- A parameter requiring the key to always verify user presence as described in the CTAP2.1 standard. When this feature is enabled, the user is required to perform a verification action, such as a fingerprint scan or entering a PIN, every time they use the FIDO2 device for authentication. This provides an extra layer of security, ensuring that only the authorized user is accessing the device and their associated accounts.
If Always Require User Verification is disabled, the user may be able to access their accounts using only the FIDO2 device without any additional verification. However, this mode may be less secure as it is more vulnerable to attacks such as theft or unauthorized use of the device
- The same tool allows modifying the minimum length of a PIN accepted by the device. The factory setting is 4 characters (or 6 for PIN+ models). Please note that resetting the keys to factory settings will set this parameter back to 4/6.
Advanced config tool is currently compatible only with our NFC-enabled security keys
Managing FIDO resident keys/passkeys
The FIDO2 Token Management Tool (fido2-manage.exe), included as a part of the companion app package, is a command-line wrapper tool designed to interact with the libfido2 tool, providing a convenient way to perform various operations related to FIDO2 keys, such as listing passkeys and removing them.
More information about the tool is available here.
You can download the package here.
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!