Docs

Guides

Blog

Tools

PIN+ Firmware - Feature Support Matrix: OpenPGP, FIDO2, OTP, and PIV Across Releases

About PIN+ Security Keys
The Token2 FIDO2 PIN+ series enforces strong PIN complexity at the firmware level, going beyond standard FIDO2 requirements. It blocks weak numeric PINs (like 123456 or 111111) and requires alphanumeric PINs to be at least 10 characters long, combining letters, numbers, and symbols. This makes it one of the most secure FIDO2 keys available, reducing the risk of unauthorized access even if the device is lost or stolen. The FIDO2 applet of the PIN+ firmware is open-source and publicly audited.


This table outlines the supported features and capabilities for OpenPGP, FIDO2, OTP, and PIV across different firmware releases. It provides a detailed comparison of cryptographic algorithms, passkey support, OTP functionality, and compatibility options (such as USB management on iOS). Use this matrix to identify the features available in each release and plan upgrades or deployments accordingly.


Release OpenPGP FIDO2 OTP PIV
Release 1 and earlier Not supported Supports up to 50 passkeys TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records Not supported
Release 2 Not supported Supports up to 300 passkeys TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records Not supported
Release 3 RSA2048; ECC: secp256r1, secp256k1, secp384r1, secp521r1
User Interaction Flags (UIF): not supported
Curve25519: not supported 		Supports up to 300 passkeys
FIDO2 management via USB on iOS 		TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records Not supported
Release 3.1 RSA2048, RSA3072, RSA4096, secp256r1, secp256k1, secp384r1, secp521r1, ed25519, x25519
User Interaction Flags (UIF) 		Supports up to 300 passkeys
FIDO2 management via USB on iOS 		TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records Not supported
Release 3.2 RSA2048, RSA3072, RSA4096, secp256r1, secp256k1, secp384r1, secp521r1, ed25519, x25519
User Interaction Flags (UIF)
KDF 		Supports up to 300 passkeys
FIDO2 management via USB on iOS 		TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records
HID-HOTP disabled by default 		Not supported
Release 3.3
(Under Development)		 RSA2048, RSA3072, RSA4096, secp256r1, secp256k1, secp384r1, secp521r1, ed25519, x25519
User Interaction Flags (UIF)
KDF 		Supports up to 300 passkeys
FIDO2 management via USB on iOS
User Verification (always_uv) enabled by default
NFC timeouts aligned with FIDO specs 		TOTP (SHA-1, SHA-256); HOTP (SHA-1, SHA-256) – 50 OTP records
HID-HOTP disabled by default 		PIV: NIST SP 800-73-4 compliant with RSA2048/3072/4096 support

PIN+ Serial Number Prefix Reference
This table provides an overview of the serial number prefixes assigned to different versions and form factors of the Token2 PIN+ devices. Each prefix identifies the product generation (Initial, R2, R3, R3.1, R3.2, R3.3) as well as the form factor (USB-A, USB-C, Dual, Bio, Mini, or Card) and, where applicable, branding (Token2, unbranded, or custom-branded editions). The prefixes are followed by a checking digit and a random sequence, ensuring uniqueness while allowing easy identification of the device type and revision.

Version Form Factor Branding Serial Prefix
Initial PIN+ (R1) USB-A (FD4)—86105
Initial PIN+ (R1) USB-C (FD7)—86104
Initial PIN+ (R1) Dual (FD8)—86103
Initial PIN+ (R1)FIDO CardToken286202
PIN+ R2 USB-A (FD4)Token296105
PIN+ R2 USB-C (FD7)Token296104
PIN+ R2 Dual (FD8)Token296103
PIN+ R2 Dual (FD8)Custom Branding23103
PIN+ R3 Dual (FD8)—76103
PIN+ R3FIDO CardToken276202
PIN+ R3FIDO CardUnbranded86106
PIN+ R3.1 USB-A (FD4)Token276105
PIN+ R3.1 USB-A (FD4)Unbranded26105
PIN+ R3.1Mini USB-C key—72102
PIN+ R3.1Custom System Access CardCustom Branding70000001–70002000
PIN+ R3.2 Dual (FD8)Token277103
PIN+ R3.2 Dual (FD8)Unbranded24103
PIN+ R3.2Mini USB-A key—72101
PIN+ R3.2Bio3 Dual A+C keyToken272103
PIN+ R3.2Bio3 Dual A+C keyUnbranded22103
PIN+ R3.3 (PIV) USB-A (FD4)Token266105
PIN+ R3.3 (PIV) USB-C (FD7)Token266104
PIN+ R3.3 (PIV) USB-A (FD4)Unbranded66107
PIN+ R3.3 (PIV) USB-C (FD7)Unbranded66106
PIN+ R3.3 (PIV) Dual (FD8)—66103
PIN+ R3.3 (PIV)Dual Octo Unbranded66113
PIN+ R3.3 (PIV)FIDO CardToken266202
PIN+ R3.3 (PIV)FIDO CardUnbranded (White)66102
PIN+ R3.3 (PIV)Mini USB-C PIVToken266111
PIN+ R3.3 (PIV)Mini USB-A PIVToken266101
PIN+ R3.3 (PIV)Dual Bio3 PIVToken272113
PIN+ R3.3 (PIV)Dual Bio3 PIVUnbranded24133

VID/PID Reference for PIN+ Devices

This table lists the USB Vendor ID (VID) and Product IDs (PIDs) used by different generations and variants of the Token2 PIN+ devices. The VID 0x349E is assigned to Token2 SĂ rl. Each PID corresponds to a specific operating mode or function (FIDO, OTP, PGP, or combinations).

VID Version / Device Function PID
0x349EPIN+ R1 / PIN+ R2FIDO Channel0x0020
PIN+ R1 / PIN+ R2OTP 0x0021
PIN+ R1 / PIN+ R2FIDO + OTP Channel0x0022
0x349EPIN+ R3 / R3.1 / R3.2 / R3.3FIDO0x0020
PIN+ R3 / R3.1 / R3.2 / R3.3OTP0x0021
PIN+ R3 / R3.1 / R3.2 / R3.3FIDO + OTP0x0022
PIN+ R3 / R3.1 / R3.2 / R3.3OTP + PGP0x0023
PIN+ R3 / R3.1 / R3.2 / R3.3FIDO + PGP0x0024
PIN+ R3 / R3.1 / R3.2 / R3.3PGP0x0025
PIN+ R3 / R3.1 / R3.2 / R3.3OTP + PGP + FIDO (default)0x0026
0x349EMini USB A/C R3FIDO0x0010
Mini USB A/C R3OTP0x0011
Mini USB A/C R3FIDO + OTP0x0012
Mini USB A/C R3OTP + PGP0x0013
Mini USB A/C R3FIDO + PGP0x0014
Mini USB A/C R3PGP0x0015
Mini USB A/C R3OTP + PGP + FIDO (default)0x0016
0x349EBio3 Dual A+C Key R3.2 FIDO0x0200
Bio3 Dual A+C Key R3.2OTP0x0201
Bio3 Dual A+C Key R3.2FIDO + OTP0x0202
Bio3 Dual A+C Key R3.2OTP + PGP0x0203
Bio3 Dual A+C Key R3.2FIDO + PGP0x0204
Bio3 Dual A+C Key R3.2PGP0x0205
Bio3 Dual A+C Key R3.2OTP + PGP + FIDO (default)0x0206