Token2 is a Swiss company that develops security keys. Their PIN+ Series includes options that have support for FIDO2, NFC, TOTP, Biometric Authentication, and OpenPGP.
Why I think this tool should be added
Token2 PIN+ Series fills all the requirements for the security keys category and has some additional benefits when compared to already listed options. Most notably, the keys are affordable, and their Release3 has brought space for 300 passkeys, which is more than YubiKey’s 100. In addition, the firmware of the PIN+ FIDO2 Security Keys is open-source and enforces PIN complexity. It was also audited by Compass Security Schweiz AG in 2024 and has the FIDO Level 2 (L2) certification.
Hey, I came across token2.com (.eu; .swiss etc.) as a more budget friendly 2FA hardware maker HQd in Switzerland. They make FIDO certified keys, some with added functionality and they have some additional certifications as well. Industry customers use them too.
I would like to know if anyone knows anything about their products, I would be curious about their experience and opinion about ease of use, security, customer service etc.
They don’t seems to have the hardware code open like the solokeys does, but they seems to have opened some of their companion tools there. Would like indeed, to have more insight from someone who knows more about that domain. Looks really interesting.
Q: Are the firmware on your keys open source, did it ever recieve a security audit, what was the name of the original firmware you used (I read somewhere that you used a 3rd party firmware)?
A: No, the firmware of our products is not open-source.
You will find Python scripts for compatible products after purchasing them in the customer account interface. You can change it and use it for internal use if needed.
I asked them again about the audits:
Q: Whether the firmwares had any security audits (despite not being open source), is that information available?
A: Our security keys are FIDO-certificated and meet the standards provided by FIDO Alliance.
Hello, I am associated with Token2. Let me provide clarification on the response from the helpdesk, which might not have been described very well.
FIDO2 keys undergo thorough audits by certification engineers from the FIDO Alliance. Generally, there is no requirement for additional security audits, especially for L1-certified keys.
On a separate note, the link to Token2’s Github you posted previously is not the scripts the helpdesk mentions in the first response; there are some other Python source codes that are made available for customers to examine (and use).
I’m not sure if this matters, but their passkey management tool is also open source and not limited to their own hardware — I can manage my YubiKey with it as well.
That being said… (and this could be worth a dedicated thread if required)
I think that Token2 deserves a spot in the list. They’re Swiss-made, and their PIN+ Release 3 allows up to 300 FIDO2.1 Resident Keys + 50 TOTP/HOTP + 1 HOTP via HID. Basically, way more than most the YubiKeys available today. The latest firmware update from Yubico allows up to 64 OATP/TOTP on the Serie 5s tho.
Going back to the Token2, they’re not as tough as the YubiKeys (mostly made of glued plastic), they’re not IP rated either, but the PCB inside has a coating for “enhanced water resistance”. And their price is cannot be compared to the YubiKeys.
It’s also worth mentioning that more and more hardware crypto wallets are FIDO2 compliant, like the Trezor 3 and 5. Even the Trezor Model One is FIDO U2F compliant. At this point
I think that the Security Keys recommendations could benefit from a nice refresh.
Yubico is still the king, and there’s no argument about that. But a few solid options have appeared on the market. Some that could be a great backup option, others that could be better for the daily life. (One solid YubiKey on the go, anywhere. One other key, not necessarily from Yubico, at home.)
