PIN+ Firmware - Feature Support Matrix: OpenPGP, FIDO2, OTP, and PIV Across Releases
About PIN+ Security Keys
The Token2 FIDO2 PIN+ series enforces strong PIN complexity at the firmware level, going beyond standard FIDO2 requirements. It blocks weak numeric PINs (like 123456 or 111111) and requires alphanumeric PINs to be at least 10 characters long, combining letters, numbers, and symbols. This makes it one of the most secure FIDO2 keys available, reducing the risk of unauthorized access even if the device is lost or stolen. The FIDO2 applet of the PIN+ firmware is open-source and publicly audited.This table outlines the supported features and capabilities for OpenPGP, FIDO2, OTP, and PIV across different firmware releases. It provides a detailed comparison of cryptographic algorithms, passkey support, OTP functionality, and compatibility options (such as USB management on iOS). Use this matrix to identify the features available in each release and plan upgrades or deployments accordingly.
| Release | OpenPGP | FIDO2 | OTP | PIV |
|---|---|---|---|---|
| Release 1 and earlier | Not supported | Supports up to 50 passkeys | TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records | Not supported |
| Release 2 | Not supported | Supports up to 300 passkeys | TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records | Not supported |
| Release 3 |
RSA2048; ECC: secp256r1, secp256k1, secp384r1, secp521r1 User Interaction Flags (UIF): not supported Curve25519: not supported |
Supports up to 300 passkeys FIDO2 management via USB on iOS |
TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records | Not supported |
| Release 3.1 |
RSA2048, RSA3072, RSA4096, secp256r1, secp256k1, secp384r1, secp521r1, ed25519, x25519 User Interaction Flags (UIF) |
Supports up to 300 passkeys FIDO2 management via USB on iOS |
TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records | Not supported |
| Release 3.2 |
RSA2048, RSA3072, RSA4096, secp256r1, secp256k1, secp384r1, secp521r1, ed25519, x25519 User Interaction Flags (UIF) KDF |
Supports up to 300 passkeys FIDO2 management via USB on iOS |
TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records HID-HOTP disabled by default |
Not supported |
| Release 3.3 (Under Development) |
RSA2048, RSA3072, RSA4096, secp256r1, secp256k1, secp384r1, secp521r1, ed25519, x25519 User Interaction Flags (UIF) KDF |
Supports up to 300 passkeys FIDO2 management via USB on iOS User Verification (always_uv) enabled by default NFC timeouts aligned with FIDO specs |
TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records HID-HOTP disabled by default |
PIV: NIST SP 800-73-4 compliant with RSA2048/3072/4096 support |
PIN+ Serial Number Prefix Reference
This table provides an overview of the serial number prefixes assigned to different versions and form factors of the Token2 PIN+ devices. Each prefix identifies the product generation (Initial, R2, R3, R3.1, R3.2, R3.3) as well as the form factor (USB-A, USB-C, Dual, Bio, Mini, or Card) and, where applicable, branding (Token2, unbranded, or custom-branded editions). The prefixes are followed by a checking digit and a random sequence, ensuring uniqueness while allowing easy identification of the device type and revision.
| Revision | Model | Branding | Prefix |
|---|---|---|---|
| Initial (R1) | USB-A (FD4) | Token2 logo | 86105 |
| Initial (R1) | USB-C (FD7) | Token2 logo | 86104 |
| Initial (R1) | Dual (FD8) | Token2 logo | 86103 |
| Initial (R1) | Card (Token2 logo) | Token2 logo | 86202 |
| R2 | USB-A (FD4) | Token2 logo | 96105 |
| R2 | USB-C (FD7) | Token2 logo | 96104 |
| R2 | Dual (FD8) | Token2 logo | 96103 |
| R2 | Dual (FD8) | No logo | 23103 |
| R3 | Dual (FD8) | Token2 logo | 76103 |
| R3 | Card (Token2 logo) | Token2 logo | 76202 |
| R3 | Card (unbranded, no chip) | No logo | 86106 |
| R3 | Card (unbranded, with chip) | No logo | 76106 |
| R3.1 | USB-A (FD4) | Token2 logo | 76105 |
| R3.1 | USB-A (FD4) | Unbranded | 26105 |
| R3.1 | Mini USB-C key | — | 72102 |
| R3.1 | Custom system access card | Special branded (contact7816+NFC) | 70000001–70002000 |
| R3.2 | Dual (FD8) | Token2 logo | 77103 |
| R3.2 | Slim Dual (FD8) | Unbranded | 24103 |
| R3.2 | Mini USB-A key | — | 72101 |
| R3.2 | Bio3 Dual A+C (ZK5) | Branded | 72103 |
| R3.2 | Bio3 Dual A+C (ZK5) | Unbranded | 22103 |
| R3.3 (PIV) | USB-A (FD4) | Branded | 66105 |
| R3.3 (PIV) | USB-C (FD7) | Branded | 66104 |
| R3.3 (PIV) | Dual (FD8) | Branded | 66103 |
| R3.3 (PIV) | USB-A (FD4) | Unbranded | 66107 |
| R3.3 (PIV) | USB-C (FD7) | Unbranded | 66106 |
| R3.3 (PIV) | Dual (FD8) | Unbranded (Octo) | 66113 |
| R3.3 (PIV) | FIDO Card | Branded (Token2 logo) | 66202 |
| R3.3 (PIV) | FIDO Card | Unbranded (white) | 66102 |
| R3.3 (PIV) | Mini USB-A PIV | — | 66101 |
| R3.3 (PIV) | Mini USB-C PIV | — | 66111 |
| R3.3 (PIV) | Dual Bio3 | Branded | 72113 |
| R3.3 (PIV) | Dual Bio3 | Unbranded | 24133 |
VID/PID Reference for PIN+ Devices
This table lists the USB Vendor ID (VID) and Product IDs (PIDs) used by different
generations and variants of the Token2 PIN+ devices. The VID 0x349E is
assigned to Token2 SĂ rl. Each PID corresponds to a specific
operating mode or function (FIDO, OTP, PGP, or combinations).
| VID | Version / Device | Function | PID |
|---|---|---|---|
| 0x349E | PIN+ R1 / PIN+ R2 | FIDO Channel | 0x0020 |
| PIN+ R1 / PIN+ R2 | OTP | 0x0021 | |
| PIN+ R1 / PIN+ R2 | FIDO + OTP Channel | 0x0022 | |
| 0x349E | PIN+ R3 / R3.1 / R3.2 / R3.3 | FIDO | 0x0020 |
| PIN+ R3 / R3.1 / R3.2 / R3.3 | OTP | 0x0021 | |
| PIN+ R3 / R3.1 / R3.2 / R3.3 | FIDO + OTP | 0x0022 | |
| PIN+ R3 / R3.1 / R3.2 / R3.3 | OTP + PGP | 0x0023 | |
| PIN+ R3 / R3.1 / R3.2 / R3.3 | FIDO + PGP | 0x0024 | |
| PIN+ R3 / R3.1 / R3.2 / R3.3 | PGP | 0x0025 | |
| PIN+ R3 / R3.1 / R3.2 / R3.3 | OTP + PGP + FIDO (default) | 0x0026 | |
| 0x349E | Mini USB A/C R3 | FIDO | 0x0010 |
| Mini USB A/C R3 | OTP | 0x0011 | |
| Mini USB A/C R3 | FIDO + OTP | 0x0012 | |
| Mini USB A/C R3 | OTP + PGP | 0x0013 | |
| Mini USB A/C R3 | FIDO + PGP | 0x0014 | |
| Mini USB A/C R3 | PGP | 0x0015 | |
| Mini USB A/C R3 | OTP + PGP + FIDO (default) | 0x0016 | |
| 0x349E | Bio3 Dual A+C Key R3.2 | FIDO | 0x0200 |
| Bio3 Dual A+C Key R3.2 | OTP | 0x0201 | |
| Bio3 Dual A+C Key R3.2 | FIDO + OTP | 0x0202 | |
| Bio3 Dual A+C Key R3.2 | OTP + PGP | 0x0203 | |
| Bio3 Dual A+C Key R3.2 | FIDO + PGP | 0x0204 | |
| Bio3 Dual A+C Key R3.2 | PGP | 0x0205 | |
| Bio3 Dual A+C Key R3.2 | OTP + PGP + FIDO (default) | 0x0206 |
Default PIN, PUK and Admin PIN
FIDO Applets
- No PIN is set by default — you must set one.
- FIDO2.1 Manager requires a PIN to be entered.
- For new devices,
0000will be accepted only to launch the tool, after which you must set a PIN. - PIN complexity rules apply:
- Octo firmware: minimum 8 digits
- PIN+ devices: minimum 6 digits
PIV Applet Defaults (R3.3 and newer)
| Type | Default Value |
|---|---|
| Default User PIN (6 digit) | 865362 |
| Default User PIN for Octo models (8 digit) | 88653622 |
| Default PUK | 86536286 |
| Default Admin PIN | 865362865362865362865362865362865362865362865362 |
OTP Applet
- The OTP applet is not protected with a PIN by design.
- OTP is always used together with a password, so adding a PIN would not increase security, but only reduce convenience by introducing unnecessary user friction.
- A PIN on OTP may also create a false impression of additional security, since OTP is inherently less secure by design.
- For stronger protection, FIDO2 or PIV authentication is recommended wherever possible.
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!