T2F2 TOTP Authenticator

ⓘ Please note that this app is designed for our second generation keys (the ones with TOTP feature, such as T2F2-ALU, T2F2-NFC, T2F2-NFC-Slim, T2F2-Bio and T2F2-Bio2 ). The first generation keys, such as T2F2 or T2F2-TypeC only have HOTP feature in addition to standard FIDO2 and cannot be used for TOTP Authentication.
Our second-generation FIDO2 keys support emulating the TOTP protocol using our Companion app. While providing the highest security level possible with such devices, the user experience is still far from ideal. I.e. to perform a TOTP-protected login on a Windows machine using the companion app, users would have to perform the following actions:

  1. Plug the FIDO2 key into a USB port
  2. Launch the companion app
  3. Browse thru the existing TOTP profiles and find the one needed to login
  4. Double-click on the profile badge (this will copy the OTP to the clipboard)
  5. Go back to the login page that requests the TOTP 
  6. Paste the OTP from the clipboard
  7. Complete the process by clicking on Submit or by hitting the Enter button

So, seven steps for a relatively simple operation. This may be fine if the login is done once a day, but we can imagine situations where some of the systems require performing these operations quite often - in such a case, this can become a headache.

As an effort to improve this experience (at least when using Windows) we have come up with a new application, called T2F2 TOTP Authenticator.

T2F2 TOTP Authenticator is a modified version of the Companion app, but with several improvements (the full list is given in the last section of this guide), the main one being the "Auto OTP" function.

Auto OTP feature

The idea behind this is simple and is based on using keyboard shortcuts (hotkeys) to send the OTP generated for a particular account to the current input focus. So, this means that when the user needs to enter the OTP, instead of performing the seven steps described earlier, hitting a hotkey (i.e. Ctrl+Alt+Z) is enough.

For technical reasons, the shortcut selection is limited to left Ctrl + Alt + [a set of letters not conflicting with other shortcuts]

As a summary, instead of a seven-step procedure, logging in using TOTP Authenticator app will require just three steps (in case the FIDO2 Key is already plugged in, and the app is already running, the process will require only one operation - hitting the hotkeys combination).

Please note that the T2F2 Security keys with TOTP can contain up to 50 TOTP profiles, but only one profile can be used with Auto OTP feature. 

The interface explained

The app looks similar to the companion app, but with only the TOTP feature implemented. As already explained, only one TOTP profile can be used with Auto OTP feature, such profile will have a special tag ([A] string) appended to its issuer value.

T2F2 TOTP Authenticator


Deployment and configuration

Different from the companion app, TOTP Authenticator is a self-contained single-file executable. It can be deployed in a centralized manner. The settings can be also delivered together with the executable (by default, the ini file is created on the first run). The ini file is located under %APPDATA%\T2TOTP.ini (i.e. C:\Users\yourUsername\AppData\Roaming\T2TOTP.ini) and contains only the following values:

hotKey= 1 ;; the second key of the hotkey combination (Ctrl + Alt + Letter), 0=A,1=B,2=C,3=F,4=N,5=Q,6=S,7=V,8=X,9=Z
autoEnter= 1 ;; defines whether to send the 'Enter' keystroke after OTP (1 or 0, 0 disables the feature)

The same settings can be set via the GUI as well, by going to Manage -> HotKey Setting dialog:

T2F2 TOTP Authenticator


Adding a TOTP Profile

The procedure is similar to the steps explained in the Companion App, with some differences (i.e. we removed the QR scanning functionality to keep the final executable file as small as possible). We will explain below how a TOTP Profile can be provisioned using  Office 365 / Azure MFA as an example.

⚠ Please note that the devices used with this app are the full-featured FIDO2 keys and can be used with a more secure Azure Passwordless method instead of Azure MFA. We strongly recommend using Passwordless method whenever possible, however we understand that there are many use cases when Azure MFA is still needed 

Follow the steps below to add an Office 365 TOTP Profile to your T2F2 second generation security key. Have your key plugged in and the T2F2 TOTP Authenticator app running before starting these steps.
Step 1. Retrieve the TOTP Secret key
Login to your Office 365 account and navigate to security settings page: https://mysignins.microsoft.com/security-info

From the Security info page, select "Add Method", and "Authenticator App" from the list. 

T2F2 TOTP Authenticator


Click "Add" to proceed to the next step. By default, it prompts to use Microsoft Authenticator, which uses a different OTP protocol, which cannot be transferred over to our hardware tokens. Please click on "I want to use a different authenticator app" to generate a TOTP QR code instead.

T2F2 TOTP Authenticator

On the next window, click "Next" to get the QR code displayed on the screen

T2F2 TOTP Authenticator


On the 'Scan the QR code' page, click the 'Can't scan image?' button and copy the secret key (which will be used in the next step)
T2F2 TOTP Authenticator

Keep this window open, we will complete the verification after the next step is done.


Step 2. Add the TOTP Secret to your FIDO2 Security key

Open the TOTP Authenticator app and click on "+" (Add account) button to open the TOTP Account creation form
T2F2 TOTP Authenticator

Fill the OTP Account creation form as described below:

- Issuer : signifies the system this OTP will be used for. You can use "O365" for this field. 

Important! If you want to use this profile with Auto OTP feature, make sure you add the [A] tag to the issuer field. You can add it manually, or click on 'append [A] tag' button. We will enable this in our example

- Account name: put your username here

- Secret key : paste or type the secret key value retrieved in the previous step


T2F2 TOTP Authenticator


Click on "ADD" button to complete adding the profile. The profile should appear in the list. 
T2F2 TOTP Authenticator


Now, we are ready to complete the MFA enrollment in our Office 365 account. To do so, go back to your security settings page (the one we left open in the previous step). To verify the OTP, click on Next button, and on the next window, you have to enter the OTP code displayed on the TOTP Profile.

Hardware MFA tokens for Office 365 / Azure cloud Multi-factor authentication


You can use this window as your first chance to try the Auto OTP feature of TOTP Authenticator app. If you have set the [A] tag for this TOTP Profile, instead of typing in the 6 digits manually (or copy-pasting via the clipboard) you can just hit Ctrl+Alt+Z) to enter the digits

FAQ

Q: Can I set a TOTP profile as autoOTP enabled?

A: You can only set this parameter when creating the TOTP profile. For security reasons, the API does not allow modification of the TOTP slot settings

Q: Can I have more than on autoOTP enabled profile?
A: The tag ([A] string) is just a text appended to the profile name, so you technically can have more than one profile with this tag. However, only the last one will be used for the autoOTP feature (the list is sorted alphabetically).


Download 

You can download the T2F2 TOTP Authenticator below. The specifications are as follows:

Type: standalone exe (portable)
Size: 1.4MB
Admin rights required: No


download T2F2 TOTP Authenticator for Windows