This page describes the version 0.3 of the Windows application.
Make sure the key is plugged in before launching the app. Please note that only one key can be used, the app is currently not able to prompt to select the key, so it will randomly select one if multiple keys are present on your system.
If the app is launched without a compatible Token2 Security key plugged in, it will show the message below:
If a supported key is detected, the app will show its model, firmware version and the serial number on the first page:
In the next sections, we will review the functionality of each window of the application in the order they appear in the Manage menu.
This window allows setting and changing PIN codes of the FIDO2 security key. In addition, you can also reset the key to factory settings using “Reset” button.
Please note that resetting the key will remove all FIDO2 user registration, TOTP profiles and HOTP seeds. These features are also available from the standard Windows Hello Control panel (for Windows builds 1909 and higher).
This window allows setting the HOTP seed in the main seed slot of the device. The main seed slot of our security keys can contain only one seed, and the OTP is generated and sent via HID/Keyboard emulation when the button is activated. The push button is replaced by a capacitive sensor on some models. For BIO models, long-press on the fingerprint reader replaces this operation (please note that HOTP generation functionality is not verifying the fingerprint, it acts as a physical button in HOTP mode).
Enter the seed in base32 format in the Secret Key field and click Save. You can generate a randomized secret key by clicking “random” button.
Note: if you activate “send Enter” parameter, there will be an Enter keystroke sent in addition to OTP digits – this may help to minimize user interaction (usually hitting Enter submits the authentication form).
As the FIDO2 security keys do not have a system clock nor a display, they cannot be used as standalone TOTP tokens. However, you can save TOTP profiles on your Token2 security keys and retrieve the generated OTPs via the companion app. This will allow using the same device for your FIDO2 and TOTP protected accounts (i.e. use the same key for Azure Passwordless and Azure MFA login). You can add up to 50 OTP profiles per key.
Please note that the security keys are not standalone TOTP tokens: TOTP functionality of our FIDO2 keys is limited and requires an additional device to run the companion app. The key in this case is only used as secure storage for the TOTP seeds. If you need a fully standalone TOTP token, it is recommended to use our programmable tokens instead.
To add a TOTP profile, go to Manage → TOTP and click on Add icon (plus sign).
On the “Add account” dialog, enter the Secret key, Account Name and optionally Issuer name. The Issuer and Account name will help to distinguish between different TOTP profiles; they will also be used when searching.
You can also use “Read from QR” functionality to fill these fields from a TOTP QR Image; the window will automatically minimize, search for a compatible QR code on the screen and fill the form as shown in the example below.
Please note that by default, the profiles are created as 6 digits, 30 seconds and sha-1. If different settings are required (i.e. if you need SHA256 instead of SHA1) , click the “advanced…” button when adding the account.
The companion app allows enrolling fingerprints for T2F2-Bio models (the menu item will be grayed out for other models). Click on “continue” to enroll a fingerprint, the key should have a PIN code setup, a warning will be shown in such case. The PIN has to be set in the “FIDO2 Settings” window.
If the PIN is set on the security key, you will be prompted to enter it.
After the verification, click on Add to enroll the first fingerprint. The app will ask to touch the fingerprint sensor area a few times under slightly different angles to complete the enrollments.
Successfully enrolled fingerprints will appear in the list as shown on the example below. You can add up to 29 fingerprints if needed and delete using the “x” button next to the fingerprint record in the list.
FIDO2 fingerprint management is also available from the standard Windows Hello Control panel (for Windows builds 1909 and higher).
This window allows controlling which features you want to have active on your security key. There are only 2 feature groups that you can enable or disable:
- FIDO2 Features (disabling this will disable all FIDO related functionality, such as WebAuthN, CTAP and U2F)
- HOTP and TOTP Features
Please note that if you disable HOTP and TOTP Features, the companion app will need to be re-launched in Administrator mode.
Token2 T2F2 Companion is distributed in a zip archive containing the main executable file as well as additional dll files. Please note the for the main functionality, only the exe file is required. The additional dll files are needed for QR reading/decoding functionality, so if you need to deploy the app without QR functionality, the exe file is enough.
You can download the package here.