TOKEN2 Companion app 0.2

This page is about v0.2, the newer version, v0.3, is available here

About the app

TOKEN2 Companion app is a tool to leverage the use of TOKEN2 FIDO2 security keys (second-generation only: T2F2-ALU , T2F2-AZ, T2F2-NFC and T2F2-BIO ) beyond classic U2F and standard FIDO2/WebAuthn functionality. The app enables you to set and use TOTP profiles on a computer or on an Android device (NFC or USB/OTG) as well as iOS (with NFC only). For T2F2-Bio models, the app helps to manage fingerprint enrollment as well.

Installation

Download and launch the app. It is a zip file with an exe inside to launch – no installation needed, just make sure the files inside the zip file are extracted into the same directory. 

download Companion for Windows

This page describes the Windows version of our Companion app (Android and iOS versions also exist and can be used based on the same principles)

Companion for iPhone (NFC version only) Companion for Android
Our FIDO2 keys can be managed under Linux or macOS as well, but using security key management interface built-in to Chromium based browsers, such as Google Chrome

    manage FIDO2 keys under Linux or macOS


Setting HOTP seeds

T2F2-ALU and T2F2-NFC keys allow setting HOTP secret using the companion app. The key has 2 types of HOTP profiles: 1) HID HOTP and 2) regular HOTP. The secret stored in the HID HOTP is used to generate and send the OTP via HID keyboard emulation when the key button is pressed. There is no need to use the companion app to use the HID HOTP profile, but there may only be one HID HOTP profile. The HID HOTP can be set only using the Windows app. The regular HOTP profiles do not have these limitations, but they can be used only together with the companion app (i.e. via system clipboard).

To set the HID HOTP seed, launch the companion app, plug the key in and navigate to HOTP menu item on the right.

TOKEN2 Companion app 0.2

On the next window, enter or generate the seed and click on Write. Note that you can configure additional options, such as the number of digits in the OTP (6 or 8) and the "Auto Enter" feature, which will send Enter keystroke after the digits when sending via HID.   


TOTP Profiles

The security keys are not standalone TOTP tokens:  TOTP functionality of our FIDO2 keys is limited and requires an additional device to run the companion app. The key in this case is only used as secure storage for the TOTP seeds. If you need a fully standalone TOTP token, it is recommended to use our programmable tokens instead.

As the FIDO2 security keys do not have a system clock nor a display, they cannot be used as standalone TOTP tokens. However, you can save TOTP profiles on your T2F2-ALU and T2F2-NFC security keys and retrieve the generated OTPs via the companion app. This will allow using the same device for your FIDO2 and TOTP protected accounts (i.e. use the same key for Azure Passwordless and Azure MFA login). You can add up to 50 OTP profiles per key.

Adding a TOTP profile

To add a new TOTP profile, navigate to the TOTP section, and click on "+ (Add account)"

TOKEN2 Companion app 0.2

On the following window, fill the Issuer, Account, and the Security key fields. The security key field (or seed, or secret) is expected to be in base32 format.

TOKEN2 Companion app 0.2


You can extract the base32 secrets from an image containing a QR code. You can scan the QR shown on the screen with the 'QR on screen' button (the app will minimize itself, take a screenshot and then look for a QR code containing the TOTP seed) or decode from an image file using 'QR from file'. Only one QR code should be present at a time on the screen or in the image file being loaded.

Important! Make sure you correctly fill the Issuer and Account fields, they will not be filled automatically even if QR code is used to fill the secret. The reason is that these fields will be used to differentiate and search the TOTP profiles, especially if you have more than 10 enrolled. Default values of Issuer and Account field are pre-populated from token2.ini file

Additional features
When adding TOTP profiles, you can benefit from the additional features implemented on the same dialog window:
- 'Random' : generates a random base32 secret
- 'Require button' - if enabled, the OTP will be shown only if the physical button on the USB key is pressed.
- 'Append to CSV file' - if checked, the seeds added to the security key will be recorded in the csv file (by default seeds.csv , can be modified in token2.ini file) 

If non-default TOTP settings are needed, you can configure by clicking on Additional settings link

TOKEN2 Companion app 0.2

You can choose the OTP period to be 30 or 60 seconds, the hash algorithm to be sha1 or sha256 and the number of OTP digits to be 6 or 8.

Accessing the TOTP profiles

The OTP values generated by the security key can be accessed using the companion app. Bu double-clicking on the profile box you can copy the OTP to clipboard. If the profile is configured to require the physical button to be pressed, double-clicking on profile will make the physical buttons LED blink; after you press the button the OTP will be displayed on the app.

TOKEN2 Companion app 0.2

Additional settings

The companion app also allows resetting your FIDO2 key and setting a PIN code. 

TOKEN2 Companion app 0.2

Please note that the same operations can be done using the standard Windows control panel with Windows 10 1903 and higher. 

TOKEN2 Companion app 0.2