Token2 Companion - Rust edition - Keyroost

Token2 Companion - Rust edition is an open-source, cross-platform desktop tool for managing Token2 PIN+ / T2F2 keys and security keys from any vendor. It is built on keyroost, an independent open-source Rust toolchain for hardware security keys, and brings the Token2 Companion App's capabilities to Windows, macOS, and Linux - fully open source.

Why this edition exists

The Token2 Companion App manages our FIDO2 keys - OTP, FIDO / passkeys, PIV, and OpenPGP. Token2 Companion - Rust edition is an open-source sibling to it, built on an existing, auditable key-management engine rather than from scratch, to address two things the original could not: be fully open, and run natively on Linux.

It is a Token2-focused edition of keyroost, with added support for the Token2 on-device OTP applet and the correct Token2 PIN+ defaults. The engine underneath is vendor-neutral, and our additions are contributed back upstream so every key manager built on keyroost benefits.

What makes it different

Universal - not Token2-only

It manages security keys from any brand, not just Token2 - FIDO2 / passkeys, OATH TOTP/HOTP, OpenPGP, and PIV over the same open standards. Token2 keys gain extra support (the on-device OTP feature and Token2 PIN+ defaults); any other vendor's key still works.

Screenshot: Managing a YubiKey device

Cross-platform - including Linux

A single codebase runs on Windows, macOS, and Linux. A native Linux build of our own Companion App is challenging for us to release, so we maintain this edition specifically to give our Linux customers a way to manage their keys - with Windows and macOS covered as well.

Fully open source

The entire tool is open source, implemented from public standards with no vendor SDKs, so anyone can read, audit, build, and extend it. It now replicates the Token2 Companion App's features, including fingerprint (biometric) management, which has been contributed upstream to keyroost so every key manager built on the engine benefits - not only this edition.

Feature parity at a glance

• Device information - serial number, applets present, and connection status.
• Device metadata (FIDO MDS) - on the Overview tab, the key's vendor name and icon, FIDO certification level and date, protocol family, and supported versions, looked up by its AAGUID. ^new
• On-device OTP - list, add, and delete TOTP / HOTP credentials, with a live countdown for time-based codes and a one-tap Read button for touch-protected entries.
• HID-HOTP (button-press code) - set up the keystroke HOTP slot and change its typing options (Send Enter, long touch, numeric keypad), and enable or disable the keyboard (HID) interface.
• FIDO2 / passkeys - PIN setup, passkey listing and removal, and device reset.
• Fingerprint management - enroll, rename, and delete fingerprints on biometric keys, from the Passkeys tab. ^new
• PIV - PIN / PUK / management-key operations and certificates, with the correct Token2 PIN+ defaults.
• OpenPGP - on-card signing, encryption, and authentication keys.
• Clearer messages - device errors are explained in plain language; for example, a rejected PIN change on a PIN+ key now tells you the new PIN doesn't meet the key's complexity policy. ^new
• USB connection - keys are managed over USB. Management over NFC is not supported yet.

Screenshot: Device overview, showing available applets, device information, and FIDO certification metadata

On-device OTP credentials

The application provides full access to the Token2 on-device OTP applet, letting you add, view, and remove TOTP and HOTP credentials directly on the key. Time-based codes show a countdown ring and refresh automatically; entries that require a touch are revealed with a single Read button.

HID-HOTP (button-press keystroke code)

The on-device OTP tab also configures the HID-HOTP slot - the code the key types like a keyboard when you touch it. You can set or replace its secret, change the typing options (Send Enter, long touch, numeric keypad) without re-entering the secret, and enable or disable the keyboard (HID) interface from the same place.

FIDO2 / passkeys

Configure the FIDO2 PIN, view resident credentials (passkeys), remove credentials, and reset the FIDO2 application when needed.

Fingerprint management

On biometric keys, the Passkeys tab lets you enroll, rename, and delete fingerprints stored on the key.

After unlocking with the FIDO2 PIN, follow the on-screen prompts to capture a fingerprint; enrolled fingerprints can then satisfy user verification by touch instead of typing the PIN. The fingerprint templates never leave the key. ^new

PIV certificates

The PIV section manages PINs, PUKs, management keys, certificates, and key slots using the correct Token2 PIN+ defaults.

OpenPGP keys

Create, import, and manage OpenPGP keys used for signing, encryption, and authentication directly on the security key.

Linux setup

FIDO2 / passkeys work out of the box. The other features (PIV, OpenPGP, and on-device OTP) use the smart-card channel, which needs a quick one-time setup - our script does it for you.

These features need libccid 1.7.0+ to recognize your key. Stable distros (Mint, Ubuntu, Debian) ship an older driver, so the setup script registers your key automatically; on newer systems it simply confirms everything and skips that step.

Download the AppImage and token2-linux-setup.sh (links below), then run:

chmod +x token2-linux-setup.sh
chmod +x Token2_Companion_*.AppImage
./token2-linux-setup.sh

Unplug and replug your key, then launch the app - all tabs will work.

chmod marks a downloaded file as runnable. No terminal? Right-click each file -> Properties -> Permissions -> tick "Allow executing file as program."