About the app

TOKEN2 Companion app is a tool to leverage the use of TOKEN2 FIDO2 security keys (second-generation only: T2F2-ALU , T2F2-AZ, T2F2-NFC and T2F2-BIO ) beyond classic U2F and standard FIDO2/WebAuthn functionality. The app enables you to set and use TOTP profiles on a computer or on an Android device (NFC or USB/OTG) as well as iOS (with NFC only). For T2F2-Bio models, the app helps to manage fingerprint enrollment as well.

Installation

Download and launch the app. It is a zip file with an exe inside to launch – no installation needed, just make sure the files inside the zip file are extracted into the same directory. 

download Companion for Windows

---

Setting HOTP seeds

T2F2-ALU and T2F2-NFC keys allow setting HOTP secret using the companion app. The key has 2 types of HOTP profiles: 1) HID HOTP and 2) regular HOTP. The secret stored in the HID HOTP is used to generate and send the OTP via HID keyboard emulation when the key button is pressed. There is no need to use the companion app to use the HID HOTP profile, but there may only be one HID HOTP profile. The HID HOTP can be set only using the Windows app. The regular HOTP profiles do not have these limitations, but they can be used only together with the companion app (i.e. via system clipboard).

To set the HID HOTP seed, launch the companion app, plug the key in and navigate to HOTP menu item on the right.

On the next window, enter or generate the seed and click on Write. Note that you can configure additional options, such as the number of digits in the OTP (6 or 8) and the "Auto Enter" feature, which will send Enter keystroke after the digits when sending via HID.   

TOTP Profiles

As the FIDO2 security keys do not have a system clock nor a display, they cannot be used as standalone TOTP tokens. However, you can save TOTP profiles on your T2F2-ALU and T2F2-NFC security keys and retrieve the generated OTPs via the companion app. This will allow using the same device for your FIDO2 and TOTP protected accounts (i.e. use the same key for Azure Passwordless and Azure MFA login). 

Adding a TOTP profile

To add a new TOTP profile, navigate to the TOTP section, and click on "+ (Add account)"

On the following window, fill the Issuer, Account, and the Security key fields. The security key field (or seed, or secret) is expected to be in base32 format.

You can extract the base32 secrets from an image containing a QR code. You can scan the QR shown on the screen with the 'QR on screen' button (the app will minimize itself, take a screenshot and then look for a QR code containing the TOTP seed) or decode from an image file using 'QR from file'. Only one QR code should be present at a time on the screen or in the image file being loaded.

Additional features
When adding TOTP profiles, you can benefit from the additional features implemented on the same dialog window:
- 'Random' : generates a random base32 secret
- 'Require button' - if enabled, the OTP will be shown only if the physical button on the USB key is pressed.
- 'Append to CSV file' - if checked, the seeds added to the security key will be recorded in the csv file (by default seeds.csv , can be modified in token2.ini file) 

If non-default TOTP settings are needed, you can configure by clicking on Additional settings link

You can choose the OTP period to be 30 or 60 seconds, the hash algorithm to be sha1 or sha256 and the number of OTP digits to be 6 or 8.

Accessing the TOTP profiles

The OTP values generated by the security key can be accessed using the companion app. Bu double-clicking on the profile box you can copy the OTP to clipboard. If the profile is configured to require the physical button to be pressed, double-clicking on profile will make the physical buttons LED blink; after you press the button the OTP will be displayed on the app.

Additional settings

The companion app also allows resetting your FIDO2 key and setting a PIN code. 

Please note that the same operations can be done using the standard Windows control panel with Windows 10 1903 and higher.