Token2 Companion - Rust edition - Keyroost

Token2 Companion - Rust edition is an open-source, cross-platform desktop tool for managing Token2 PIN+ / T2F2 keys and security keys from any vendor. It is built on keyroost, an independent open-source Rust toolchain for hardware security keys, and brings the Token2 Companion App's capabilities to Windows, macOS, and Linux - fully open source.

Why this edition exists

The Token2 Companion App manages our FIDO2 keys - OTP, FIDO / passkeys, PIV, and OpenPGP. Token2 Companion - Rust edition is an open-source sibling to it, built on an existing, auditable key-management engine rather than from scratch, to address two things the original could not: be fully open, and run natively on Linux.

It is a Token2-focused edition of keyroost, with added support for the Token2 on-device OTP applet and the correct Token2 PIN+ defaults. The engine underneath is vendor-neutral, and our additions are contributed back upstream so every key manager built on keyroost benefits.

What makes it different

Universal - not Token2-only

It manages security keys from any brand, not just Token2 - FIDO2 / passkeys, OATH TOTP/HOTP, OpenPGP, and PIV over the same open standards. Token2 keys gain extra support (the on-device OTP feature and Token2 PIN+ defaults); any other vendor's key still works.

Screenshot: Managing a YubiKey device

Cross-platform - including Linux

A single codebase runs on Windows, macOS, and Linux. A native Linux build of our own Companion App is challenging for us to release, so we maintain this edition specifically to give our Linux customers a way to manage their keys - with Windows and macOS covered as well.

Fully open source

The entire tool is open source, implemented from public standards with no vendor SDKs, so anyone can read, audit, build, and extend it. It now replicates the Token2 Companion App's features, including fingerprint (biometric) management, which has been contributed upstream to keyroost so every key manager built on the engine benefits - not only this edition.

Feature parity at a glance

• Device information - serial number, applets present, and connection status.
• Device metadata (FIDO MDS) - on the Overview tab, the key's vendor name and icon, FIDO certification level and date, protocol family, and supported versions, looked up by its AAGUID. ^new
• On-device OTP - list, add, and delete TOTP / HOTP credentials, with a live countdown for time-based codes and a one-tap Read button for touch-protected entries.
• HID-HOTP (button-press code) - set up the keystroke HOTP slot and change its typing options (Send Enter, long touch, numeric keypad), and enable or disable the keyboard (HID) interface.
• FIDO2 / passkeys - PIN setup, passkey listing and removal, and device reset.
• Fingerprint management - enroll, rename, and delete fingerprints on biometric keys, from the Passkeys tab. ^new
• Security policy (FIDO2 settings) - over CTAP 2.1 authenticatorConfig: always-require-verification, a minimum PIN length, a forced PIN change, and enterprise attestation, from the FIDO2 Settings tab. ^new
• Storage (large blobs) - view the key's large-blob storage as hex and ASCII, and keep your own text notes on the key (add, edit, delete). ^new
• PIV - PIN / PUK / management-key operations and certificates, with the correct Token2 PIN+ defaults.
• OpenPGP - on-card signing, encryption, and authentication keys.
• Clearer messages - device errors are explained in plain language; for example, a rejected PIN change on a PIN+ key now tells you the new PIN doesn't meet the key's complexity policy. ^new
• USB connection - keys are managed over USB. Management over NFC is not supported yet.

Screenshot: Device overview, showing available applets, device information, and FIDO certification metadata

On-device OTP credentials

The application provides full access to the Token2 on-device OTP applet, letting you add, view, and remove TOTP and HOTP credentials directly on the key. Time-based codes show a countdown ring and refresh automatically; entries that require a touch are revealed with a single Read button.

HID-HOTP (button-press keystroke code)

The on-device OTP tab also configures the HID-HOTP slot - the code the key types like a keyboard when you touch it. You can set or replace its secret, change the typing options (Send Enter, long touch, numeric keypad) without re-entering the secret, and enable or disable the keyboard (HID) interface from the same place.

FIDO2 / passkeys

Configure the FIDO2 PIN, view resident credentials (passkeys), remove credentials, and reset the FIDO2 application when needed.

Fingerprint management

On biometric keys, the Passkeys tab lets you enroll, rename, and delete fingerprints stored on the key.

After unlocking with the FIDO2 PIN, follow the on-screen prompts to capture a fingerprint; enrolled fingerprints can then satisfy user verification by touch instead of typing the PIN. The fingerprint templates never leave the key. ^new

Security policy (FIDO2 settings) ^new

The FIDO2 tab includes a Settings sub-view for the key's security policy, using the standard CTAP 2.1 authenticatorConfig command. After unlocking with the FIDO2 PIN you can:

• Always require user verification - make every assertion need verification (PIN or fingerprint), even for services that did not ask for it.
• Set a minimum PIN length - raise the shortest PIN the key will accept, optionally forcing a new PIN if the current one is now too short.
• Force a PIN change on next use - useful before handing a key to someone else.
• Enable enterprise attestation - on keys that support it, for enterprise registration policies.

Some of these are one-way: a higher minimum PIN length and enterprise attestation cannot be undone without a full reset of the key. The app asks for explicit confirmation before applying those, and explains any rejection in plain language. The Settings tab appears only on keys that report authenticatorConfig support.

Storage (large blobs) ^new

CTAP 2.1 keys can hold a small large-blob store. The FIDO2 tab's Storage sub-view shows what is on the key and lets you keep your own notes there:

• View entries - each stored item is shown as a card, with an optional side-by-side hex + ASCII view of its raw bytes. Entries written by websites (relying parties) are shown read- and delete-only.
• Add, edit, and delete notes - keep your own plain-text notes on the key; they are listed back as readable text and can be edited or removed.

The large-blob store is not encrypted and can be read by anyone holding the key, so it is a convenience scratchpad - not a place for passwords or secrets. The store loads automatically when you open the tab; saving a change requires the FIDO2 PIN. The Storage tab appears only on keys that report large-blob support.

PIV certificates

The PIV section manages PINs, PUKs, management keys, certificates, and key slots using the correct Token2 PIN+ defaults.

OpenPGP keys

Create, import, and manage OpenPGP keys used for signing, encryption, and authentication directly on the security key.

Linux setup

FIDO2 / passkeys work out of the box. The other features (PIV, OpenPGP, and on-device OTP) use the smart-card channel, which needs a quick one-time setup - our script does it for you.

These features need libccid 1.7.0+ to recognize your key. Stable distros (Mint, Ubuntu, Debian) ship an older driver, so the setup script registers your key automatically; on newer systems it simply confirms everything and skips that step.

Download the AppImage and token2-linux-setup.sh (links below), then run:

chmod +x token2-linux-setup.sh
chmod +x Token2_Companion_*.AppImage
./token2-linux-setup.sh

Unplug and replug your key, then launch the app - all tabs will work.

chmod marks a downloaded file as runnable. No terminal? Right-click each file -> Properties -> Permissions -> tick "Allow executing file as program."