Token2 NFC Burner for Molto 0.1 - Windows App

How to burn a TOTP profile onto Token2 Molto-1 hardware token using Windows Token2 NFC Burner for Molto 0.1.2 beta

Release history:
v0.1.2 beta:  QR scanning features added. An alert message will be shown if the app is used on non-Molto devices. Issue with PIN code resolved.
v0.1.2 beta: An additional tool was added for Molto-1-i devices. Located in the same folder, PIN-Changer.exe allows managing PIN code protection of the device

Step1. Download and launch the app. It is a zip file with an exe inside to launch – no installation needed, just make sure the files inside the zip file are extracted into the same directory.

download Windows TOKEN2NFCBurnerMolto0.1.2B


Important: The folder the exe file is placed in should be writable by the current user (as it creates a couple of temporary files in the same directory).

Step2. In the “NFC Reader” section, select the NFC reader and click on Connect. A message box should pop up with a “Successful operation” message.

Token2 NFC Burner for Molto 0.1 - Windows App




 Step3. Turn off the Molto-1 device if powered on, then long-press the power button (for about 5-7 seconds). This should enable “Programming mode” on the device.

Token2 NFC Burner for Molto 0.1 - Windows App


Step4. Place the device on the NFC Reader pad. The serial number of the device should appear in the status section.

Token2 NFC Burner for Molto 0.1 - Windows App

Step5. Before burning the seed, you may need to configure the profile settings. The profile settings can be set in the TOTP Profile configuration section. By default, the Profile #0 is set as SHA1, 30 seconds and with the profile name “Token2”. Other 9 profiles are not configured, and if you want to utilize them, you must set the profile settings as shown in the example below:


Example 1. Setting TOTP Profile #3 as 60 seconds, SHA256 and 8 digits with a profile name of “Test”

a) Select the profile number in the “Profile” section

Token2 NFC Burner for Molto 0.1 - Windows App

b) Enter “Test” in the Name field and click on “Set Profile Name”

Token2 NFC Burner for Molto 0.1 - Windows App


c) Configure the TOTP Settings in the section below the profile name and click on “apply config” button

Token2 NFC Burner for Molto 0.1 - Windows App



Please note that by default the clock of each TOTP profile is synced with your PC’s system time. If you want to manually change the time, uncheck the “clock update” checkbox. If you do not wish to change the time setting on the profile, check “no time sync” checkbox before clicking on “apply config”.

Burning the seeds

Once you have configured the TOTP profile settings (time offset, algorithm etc.) you can burn the seed. Make sure the device is in programming mode (If not, turn off the Molto-1 device if powered on, then long-press the power button for about 5-7 seconds - this should enable “Programming mode” on the device). 

  • Enter the seed (in base32 format) or click on "random" button to generate a random seed.
  • Then, place the token onto the NFC module and wait for its serial number to appear. 
  • Click on "Burn seed" button. A log entry with the serial number and "Successful operation" text will be logged in the log window.

Token2 NFC Burner for Molto 0.1 - Windows App


Advanced settings

The NFC Burner app also allows configuring advanced parameters as described below. Kindly note that these settings are global (i.e. not per TOTP profile).

QR Code operations
Starting from version 0.1.2 β, you can extract the base32 secrets from an image containing a QR code. You can scan the QR shown on the screen (the app will minimize itself, take a screenshot and then look for a QR code containing the TOTP seed) or decode from an image file. Only one QR code should be present at a time.

Token2 NFC Burner for Molto 0.1 - Windows App

Customer Key
You can change the customer key of your Molto-1 device to make sure nobody else can change the settings of your TOTP profiles. The app should have the correct customer key entered in the system configuration to allow to perform TOTP Profile configuration changes and burning the seeds. To prevent brute-force attacks, the system will perform a factory reset after 200 unsuccessful attempts. Please note that currently, the key is only accepted if set as a hex string.

Token2 NFC Burner for Molto 0.1 - Windows App


You can generate a random hex key using the button below


After changing the key, make sure you also update the configuration by entering the new seed in System Configuration -> Configure Customer Key

Token2 NFC Burner for Molto 0.1 - Windows App

Standby time

The display of the hardware token automatically turns off after a certain period of time. You can change this period in the “Standby time” section. Just choose one of the 4 options and click on “change standby time”.

Token2 NFC Burner for Molto 0.1 - Windows App

Factory reset

If for some reason, you want to clean all profiles or in case you forgot the customer key and want to set a new one, you can use the factory reset button. Kindly note that this operation will not only delete all TOTP seeds but also clear the configuration, including the time settings and the default profile settings.

Token2 NFC Burner for Molto 0.1 - Windows App


After the reset, you can access the device using the default customer key, which can be set using the "default key" button



PIN Code (Molto-1-i devices only)
An additional tool located in the same folder, PIN-Changer.exe allows managing PIN code protection of the device.

Token2 NFC Burner for Molto 0.1 - Windows App

You can set the PIN of 6 digits for the OTP device by entering a 6 digits PIN and ‘Apply PIN Change’ button  (No PIN is set by default). If the PIN fails for more than a predetermined number of times, the device will be reset. To remove the PIN, leave the PIN field empty and press "Apply PIN Change" button again.  For both setting and removing the PIN code, it is also necessary to complete the PIN set operation by pressing the 0 key on the OTP token when it prompts.

Token2 NFC Burner for Molto 0.1 - Windows App

To ensure the security of your device, it's essential not only to set a PIN, but also to change the default customer key. When the customer key remains in its default state, it could enable individuals with physical access to the device to easily remove the PIN and potentially access the OTP generated. Changing the customer key, even without altering the PIN, adds an extra layer of protection to safeguard your device and data from unauthorized access.