Hardware-based MFA tokens – Token2 main use cases and solutions

The use of mobile apps for MFA (also known as software authenticators) is the easiest and most cost-effective method to organize strong security for authentication. However, there are cases when mobile apps cannot be used. For example, when a user refuses to use their mobile phone / home phone for authentication. There are also other scenarios, such as internal policies, government laws, or environmental factors, i.e. a factory where mobile phones are forbidden to minimize the risk of explosions, etc.

IS Decisions has partnered with Token2 to provide hardware devices that serve as the second factor for secure user authentication with the UserLock solution.

Token2 and Hardware MFA Tokens

Token2 Sarl is a Swiss company specializing in multifactor authentication products. Token2 was formerly part of a multifactor authentication research project at the University of Geneva, which led to a spin-off startup company in 2013. TOKEN2 is listed as a featured hardware token supplier by organizations such as Microsoft, RedHat, The US Government, The Government of Geneva, Valais and Vaud, many European and US Universities and others.

Token2 provides 2 different types of hardware authenticators that can be used as part of the UserLock infrastructure to protect your users.

Programmable TOTP tokens

Token2 programmable TOTP tokens come in different variations and form-factors but share the same principle behind them - they act as drop-in replacement for software authenticator apps and can be deployed in a similar way.

When the UserLock MFA wizard prompts you to scan a QR code with a mobile app, it is easy to replace this option with a hardware TOTP token: the QR code must be scanned with one of Token2's token provisioning app (NFC burner - for NFC-programmable tokens, or USB Config tool for USB-programmable ones). The subsequent user logins require nothing else - the hardware token will work as a complete standalone and offline OTP generator.


Read the doc
How to enroll and use Token2 programmable TOTP tokens with UserLock MFA

USB Security keys

Starting from version 11, UserLock natively supports Token2 T2F2 Security keys (second-generation only: ALU/AZ and NFC) by utilizing the HOTP functionality of these keys. Although the concept is similar to the TOTP tokens, the provisioning and the login procedures are different.


First of all, no additional device or app is needed with USB Security keys: the provisioning is implemented natively by the UserLock agent.

Furthermore, no sensitive information is transferred over to the user - in contrast to the provisioning QR code with TOTP, which contains the secret required for generating the OTP codes. With HOTP provisioning, the secret is written directly onto the device without transferring it elsewhere. The user experience is also better, both when provisioning and when logging in.

During the MFA enrollment process, if a compatible Token2 key is detected, the system will display a "Link Token2” button to start the process.


Logging in with a Token2 USB Security key is even easier. When the MFA prompt asks you to enter the OTP, pressing the physical button on the USB key is enough to log in. This will populate the OTP field and submit it, as the keys are configured to send the “Enter” key together with the OTP digits by default.


Read the doc
How to enroll and use Token2 USB Security keys with UserLock MFA