New Programmable TOTP token Protectimus Flex

Listen to this article

You asked, and we delivered – the new programmable TOTP token Protectimus Flex in a key fob format is already here!

Unlike our other popular programmable hardware token Protectimus Slim NFC, the new Protectimus Flex TOTP token comes in the form of a key fob. This makes our latest two-factor authentication hardware token more comfortable to use, and more durable. The security token can easily be fastened to your keys, this way you won’t forget it, or lose it. There is a bonus feature in the new gadget — it has a battery indicator. This makes it easier to understand when it’s time to order a replacement.

Similar to Protectimus Slim NFC, the new hardware token device requires an Android phone with NFC to burn the secret key (seed) into the device. Protectimus Flex supports secret keys no longer than 32 symbols in the Base32 numeral system. And the new TOTP authenticator can generate OTP passwords for any website that supports MFA apps, so you don’t have to install Protectimus MFA platform to work in conjunction with it.

How the new TOTP hardware token Protectimus Flex works

A hardware security token is typically a small device with a window display. These gadgets are roughly divided into two types:

  1. So-called classic tokens, they are delivered with the seed hardcoded and the user cannot change it.
  2. And programmable ones, a programmable TOTP token is designed for a seed to be written into it multiple times.

Simply put — programmable physical token functions just like any MFA app software token (but note that unlike an MFA app one programmable hardware token can store only one secret key). These devices are safer than an app, since a one time password is generated not on a smartphone, but on a device which has no Internet connection, thus, cannot be infected by any viruses. So programmed hardware token authentication often replaces those apps for better-safeguarded OTP authentication.

Besides, programmable TOTP token Protectimus Flex supports time synchronization feature. When you add the secret key into the token, the Protectimus TOTP Burner application automatically sets the exact current time on the token. This feature allows avoiding the time drift problem that is a common thing with TOTP hardware tokens.

Physical programmable tokens are our specialty. And while Slim NFC is in high demand, its form factor of a card is slightly uncomfortable for some customers. Form is the main difference between Slim and Flex, the mode of action of both devices is the same.

Programmable OTP token Protectimus Flex

We’ve already written about the TOTP algorithm, which the programmed tokens operate on. If you want to know every detail behind TOTP you can read it here. And for a better understanding of the distinctions between classic and programmed physical tokens, as well as a detailed description of a programmable device we’d like to refer you to this article.

Which sites can Protectimus Flex hardware 2FA token be linked to?

A seed no longer than 32 Base32 symbols can be added into the programmable OTP hardware token Flex. The gadget can be used for TOTP MFA setup for one website, app, or service at a time. So, if the website aligns with these criteria then this TOTP hardware authenticator can be utilized for this website.

Programmable hardware token Protectimus Flex can be utilized to deliver an MFA code for Azure MFA, Office 365, Google, PayPal, Twitter, Facebook, Dropbox, Github, Coinbase, and a lot of others.

An example of the secret key for Protectimus Flex TOTP token the seed is no longer than 32 symbols in Base32

Keyfob form-factor advantages

We are always in touch with our customers, we listen to all the feedback we receive. Ever since our first programmable 2-factor authentication hardware token was presented we have been receiving inquiries for the same token but in key fob form. A lot of the customers asked if it is safe to drill a hole in the Slim NFC token to fasten it to their keys. One client even made a custom case for the OTP device.

The key fob form factor turns out to be more usable. You can not lose or forget the token if it’s fastened to your keys. It is far harder to nip it from you as well. Besides, the key fob form might be a bit more durable than the card form.

Protectimus Slim NFC token in a hand made case

How to program the Protectimus Flex TOTP generator

To program the Flex hardware OTP token you will need an Android cellphone with enabled NFC. Naturally, the website you’d like to link the token to has to support TOTP MFA. This programmable OATH hardware token is perfect for those websites that support MFA with a TOTP authenticator app.

  1. Download a Protectimus TOTP Burner app

    Download our TOTP burner application to your Android phone.

  2. Start the MFA setup

    Start setting up multi-factor authentication on the website you want the token to be linked to.

  3. Program the new 2FA hardware token:

    3.1 Start the burner application.
    3.2 Click “Burn the seed”.
    3.3 Click “Scan the QR code” and scan the code from the website’s TOTP QR code generator.
    3.4 Activate Protectimus Flex and make sure it is placed near the phone’s NFC antenna.
    3.5 Click “Continue”. The process is finished when the OTP authentication key activation confirmation message arrives.

  4. Enter the one-time password to finish the MFA setup

    Go back to the MFA protected website and log in using the OTP code delivered by your token.

How to add a secret key tp the Protectimus Flex token

Frequently Asked Questions

Can this programmable OTP hardware token be used for multiple websites/services simultaneously?

No, Flex can be used for one website/service, with one seed programmed into it, at a time. But Flex can be repurposed. When you stop using a website the OATH TOTP hardware token was initially programmed for, you can disconnect the device from that website and program it for another website/service.

What services/websites can Protectimus Flex work with?

This TOTP hardware key can be linked to almost any website that offers 2FA with Google Authenticator or supports any other MFA application. Among the supported services is the majority of payment systems, social networks, cryptocurrency exchanges, and many others.

Is the Burner application available for iOS?

No. The app is currently available for Android only.

How long will the battery work?

The OATH TOTP token battery lasts up to 5 years, you can’t charge or change it. But the device has a battery indicator, so you can easily buy a replacement before the battery reaches its limit.

How much does the Protectimus Flex cost?

The price is $19.99 for one device.

How is the token programmed?

Our TOTP Burner app and a smartphone with Android and NFC antenna are required to program this TOTP token generator. The step-by-step guide is provided in the article above.

Is this type of token safe enough? Can the secret key be compromised through the Burner app?

There is absolutely no way to get the seed from a programmed token. And the burning app retains no secret keys. The token has no open interfaces, so once after production, it cannot communicate with the outside world (except NFC). But, for NFC, the token does not have an API for reading secret (only writing secret). Additionally, the app does not store secret keys. You can safely use a single phone to program several tokens.

Can I order the Flex tokens with a custom logo?

Sure, you can order as much as one item with a custom logo. Contact our sales team for more details.

Does the token operate in standalone mode, or does it still require a smartphone to create a TOTP code?

An Android mobile phone is required to burn the seed into the token. After the programming is complete the device works totally autonomously.

Do Protectimus Flex tokens support time synchronization feature?

Yes, when you program a secret key into the Protectimus Flex token, the app automatically sets the exact current time on the token.

Read more

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On


  1. How is it protected from unauthorized access? If it is stolen, for example.

    Post a Reply
    • Valery, if you use this or any other OTP token with Protectimus two-factor authentication system, the Protectimus administrator can set up additional PIN protection. In this case, the user will have to enter a PIN code every time they enter a one-time password from the token before or after the OTP. This approach makes a token useless for the fraudster as a one-time password won’t work without a PIN. But if you use the programmable hardware OTP token with any other service, then when it’s stolen, it’s stolen, and the person who has stolen the token knows your one-time passwords. Though they still need to know your static password to get access to your account, so you’ll have time to notice the token’s missing and take action.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This