Hardware fido keys from token2 - anyone tried them?

Aeon

I stumbled over a fido key company called token2 https://www.token2.ch

Their products look interesting, has anyone here tried any of them?

fid02

Aeon Incidentally, I bought two of their keys a couple of days ago (T2F2-PIN+/Dual Release2) and intend to use them with GrapheneOS and report back. They're FIDO Alliance certified so I expect them to work fine. I'll write a review about their general usability because I have found very few reviews of these keys. It seems like a small company. I bought them because they have 300 passkey slots, compared to Yubikey 5.7 which has only 100. Good that there are other players out there that seem to actually be able to compete with Yubico, if only somewhat. If their usability is good they will hopefully serve as my main keys for many years, although it's too early to conclude on that point.

Aeon

fid02

cool, looking forward to your review/post about them :-)

fid02

Aeon I received yesterday my order of two security keys with the catchy name of Token2 T2F2-PIN+/Dual Release2 . Spent a couple of hours testing them. Here's my initial experience:

They appear to be fully compatible with GrapheneOS, in terms of functionality. Everything in this post seems to apply to the Token2 key as well: https://discuss.grapheneos.org/d/12056-fido2-security-keys-on-grapheneos-a-summary
When inserted into the USB-C port, Android recognises the key as a physical keyboard. That's odd, and it interferes with you having to type your PIN. To solve this, enable 'Use on-screen keyboard' in Settings > System > Keyboard > Physical keyboard > [keyboard name]. I only had to do that once. By the way, it's exactly the same behaviour on stock PixelOS.
I am using the Yubico Authenticator app [Play Store] [Github] to manage the passkeys on the keys. I can view them and I deleted one just to test. I also changed the PIN on the key, and that works as well. So you don't need to download Token2's apps (or other weird apps) on your desktop OS in order to view and manage the passkeys. The only snag is that Yubico Authenticator won't recognise the key through USB-C, only NFC.

I haven't tested the TOTP capabilities. I don't really need them, but it's something I can test. I might write a more detailed review after having used the keys a bit more.

Aeon

fid02

oh thank you for the short overview :-) that helps a lot.

Aeon

fid02 The only snag is that Yubico Authenticator won't recognise the key through USB-C, only NFC.

does that also hold on desktop, or did you only try it on GrapheneOS/PixelOS?

klaeuser

fid02
unfortunately there is no such setting (System > Keyboard > Physical keyboard ...)

fid02

Aeon I now tried Yubico Authenticator on Windows 11 and it does not recognise the Token2 key. My computer doesn't have an NFC reader, so I don't know if it will recognise the key over NFC.

It's not a big deal for me, as Token2 has their own software (also open-source) for Windows that can manage passkeys and the FIDO PIN: https://www.token2.com/site/page/tools-for-fido-security-keys
There's a tool for Linux as well, but I haven't tested this. The Windows version works fine for me. Yubico Authenticator is definitely better-looking, but I don't care about that. :-)

I also just tested their TOTP app for Android and it works fine. (Might actually be useful to store TOTPs on the keys just as a backup. It won't of course make them phishing-resistant in any way).

fid02

Compared to the new Yubikey with FW v. 5.7, for me the advantages of the newest Token2 keys ('Release 2') are the higher number of passkey slots (300) and, specific to the key I bought, the dual USB-A/USB-C design. The latter is useful to me as I will sometimes need to use the key on computers that are still stuck on USB-A-only.

I took some photos of the Token2 Dual and my Yubikey Security Key side-by-side:
https://drive.proton.me/urls/5J5Y4AJYZ4#ztMh8qFuan7D
https://drive.proton.me/urls/Y4YD95XGKR#szApWRA545wP

Here's a brief comparison:

The Token 2 key (only 'Release 2', mind) can store 300 passkeys, compared to my Yubikey FW v. 5,4 which can store 25.
The Token2 Dual key is slightly bulkier, but not by much.
The plastic on the Token2 key feels a tad cheaper to me. The plastic appears to consist of two parts that are glued together. I wonder how strong that glue is, and how easily it degrades. Token2 advertises the key as being durable against water ingress*. I wouldn't have bought the key otherwise, because it rains quite a lot where I currently live. And I plan to keep one of the keys on my keychain. Time will tell.
The keyhole is placed right at the edge of the key, and is tinier than the Yubikey's keyhole. It fits with my keychain, although I'm wondering how easily the plastic around it will degrade over time when used with a metal keychain. After just a few hours being attached to my keychain, the plastic is already showing slight marks (not visible in the photo; it was taken shortly after unpacking the key). The Yubikey feels like a better design; I've had it on my keychain for two years and it's not showing signs of wear. The Yubikey's keyhole is also coated with some metal.
The Token2 USB-C version has a larger keyhole, placed a bit more away from the key's edge. I would prefer this design on the Dual key as well. It would create a longer key than the Yubikey, and I assume Token2 thought that might not look as appealing. Although I wouldn't mind.
User verification is achieved by touching the golden coating on the sides of the key. Briefly touching one of them is enough, and you don't have to pinch or press them. This works reliably. At first, I didn't notice the golden coating, and assumed I had to tap the top and/or bottom of the key. So I started tapping them like a wild person, inwardly cursing myself for buying a useless product. Until I actually looked at the key's sides. 😄
Token2 advertises that the key has a lifetime of at least 10 years. I doubt I will keep a security key for that long, although the high number of passkey slots does increase its potential longevity. That is, assuming that passkeys are successful and get rolled out by most services out there. I'm really hoping they will be.

I think I'm likely to keep the Token2 keys and use them as my main keys instead of my current Yubikeys. I'll keep one on my keychain and the other plugged into my computer for convenience. If the keys prove durable to water, I might buy the USB-C version and keep it off-house as a backup key.

*Complete quote:

This model is featuring a specialized PCB (Printed Circuit Board) coating for enhanced water resistance. This protective coating ensures durability against water ingress!

Edit:
troika I think you might have posted in the wrong topic; these keys are not sold by Google. Token2 is a small Swiss company. If you have substantive arguments to support your claim (which I'm currently not seeing that you have provided), I suggest you make a new topic.

fid02

fid02 The keyhole is placed right at the edge of the key, and is tinier than the Yubikey's keyhole. It fits with my keychain, although I'm wondering how easily the plastic around it will degrade over time when used with a metal keychain.

Five weeks later, the plastic near the hole for the keychain broke off while I was taking my keys out of the pocket. Take a look: https://drive.proton.me/urls/AR9P40471G#BBi6ZOVEOooU

On a related note, I accidentally dropped one of the keys while outdoors and it was lying there in the pavement in heavy rain for five minutes. I let it dry for a day and it still works fine.

I might soon accidentally leave one of the keys in the pocket of my trousers, then wash my trousers in my aggressive washing machine. Inadvertently, of course.

other8026

troika hardware is frequently made in China. That happening isn't really evidence of a device being dangerous. The article you posted here also doesn't seem to be suggesting that either.

Hat

@fid02 thanks for your detailed review.
Did you try to use it to log into a Windows 11 local account or with the admin prompt ?

fid02

Hat No, I have not tried this. Windows has no native support for signing in to a Windows account using a security key*, unless you are using an Entra-joined device with an Entra passkey saved to the key. Which means that for non-Entra-joined devices you will need to use custom software. From a quick search on token2.com I cannot find a mention of support for this. Yubico has their own software for this purpose, but their setup guide looks like an incredible nuisance, and you end up using the key in addition to your password, and not as a replacement for it. Which has caused me to never try this out, not even with my Yubikeys. There might be a tiny chance that Yubico's software will work with Token2 keys, but I doubt it. You have made me curious, so I'll probably try this out sometime. But I expect it to fail.

Shouldn't be a problem with Entra-joined devices, as models of Token2 keys are on Microsoft's list of supported devices for attestation with Entra ID. Unless your organization uses attestation to block certain keys, it should work fine with an Entra-joined device. Be sure to check prior to a purchase whether the model you are buying is on this list, if Entra ID is applicable to you.

*There might be a tiny chance that I'm wrong on this point, but I have not yet found evidence to the contrary.

fid02

Hat Did you try to use it to log into a Windows 11 local account or with the admin prompt ?

I have now tried to configure a Token2 key using the Yubico Login for Windows software and, unsurprisingly, it is not able to detect the key during configuration. Speculation alert: I'm guessing that the app is not simply storing FIDO credentials on the key, but that the Yubikey models that the app suports have special storage slots designed for such a usage. It would explain why not even the Yubikey Security Key series is supported by the app, even though they can store FIDO2 credentials without issues.

fid02

I bought the PIN+ Release2 USB-C key and have used it for a couple of weeks now. Adding a link to the product because all their keys have names that are ridiculously confusing: https://www.token2.com/shop/product/token2-t2f2-pin-release2-type-c-fido2-u2f-and-totp-security-key-with-pin-complexity-feature
I'm quite satisfied with it so far. It's of course more compact than the Dual key, and the hole for the keychain (is there a better word for that in English?) is placed farther away from the corners, which should mean that it's harder to break. It's shorter but slightly thicker than a modern Yubikey, which is fine for me. I now use one of my Dual keys as a backup key, which I'll store somewhere off-site, and one always connected to my computer.

Of course, like Yubikeys it doesn't have upgradable firmware. Which is ludicrous, but that's the state of the world today.

Soccy

fid02
In a way, forever firmware is a security feature. It ensures nobody is flashing compromised code onto the devices, as inconvenient as needing a new generation of device every now and again. I only wish it were possible to update a device to support more passkeys if some more compact storage method arose (Yubikey is just too dang small)

fid02

Soccy In a way, forever firmware is a security feature. It ensures nobody is flashing compromised code onto the devices

Is it not possible for a vendor to sign firmware updates with a private signing key?

Hat

fid02 I asked them about the Windows login and admin prompt and they confirmed that it wasn't available because Microsoft doesn't support it as standard. Special software would be required.
Anyway, I ordered 2 of the same keys as yours.
I tried one with a hosting provider, Brave on Windows and it worked perfectly without password.
After that I tried with Amazon and I didn't like because Amazon force to use a Windows password (password specially for the key) in addition at each login.
At the moment I didn't try with GrapheneOS because I didn't put Google Play Services on my main profile.

fid02

Hat After that I tried with Amazon and I didn't like because Amazon force to use a Windows password (password specially for the key) in addition at each login.

I assume you are talking about the PIN of your security key? Or are you talking about Amazon asking you for a TOTP in addition to your security key? If the latter, that can be disabled in your Amazon account settings.

Hat

fid02 I assume you are talking about the PIN of your security key?

Yes. It seems that the website decides if the PIN is required.

fid02

Hat For passkeys, the standard is to require user verification (PIN, fingerprint) upon signing in to a service. That is not exclusive to Amazon*. I assume that this is required in order to avoid someone being able to access all your accounts simply by stealing the security key itself.

*The only exception to this that I have observed is the Google Play Store, which allows you to sign in with a passkey over NFC without needing to enter the PIN.