Protectimus FLEX

Programmable TOTP MFA tokens are Protectimus's flagship product, in demand for both business and private use. Previously, programmable hardware tokens were available only in a card form factor, as the Protectimus Slim NFC. Now, programmable hardware tokens Protectimus are also available in a key fob format, as the Protectimus Flex.

Unlike traditional TOTP hardware tokens, whose secret keys can't be changed, you can add a new secret key to the Protectimus Flex OTP token over NFC. This makes it possible to connect the OTP device to any site that supports two-factor authentication. The only requirement is that the secret key be no longer than 32 Base32 characters.

The Protectimus Flex OTP token can be used instead of a software token (2FA app) to reliably secure services that don't offer native support for hardware token authentication: Office 365, Azure MFA, Google, PayPal, Dropbox, GitHub, most payment systems, cryptocurrency exchanges, social networks, and so on.

To program a Protectimus Flex OATH TOTP token, you'll need an Android smartphone with NFC support. Install the free Protectimus TOTP Burner app, scan the QR code containing the secret key, turn the OTP token on, and place it near the phone's NFC antenna to program the secret key into the token. A single Protectimus Flex 2-factor authentication hardware token can hold one secret key.

The most practical and reliable OTP token

Hardware token is the most secure means of generating one-time passwords. Thanks to its reprogramming and time synchronization features, you can connect the Protectimus Flex security token to any service.


Hardware MFA tokens are harder to compromise than any other kind of TOTP authenticator: SMS-based authentication, email, chatbots, or 2FA apps. The OTP token generates temporary passwords itself, meaning they can't be intercepted during delivery. Additionally, a physical token can't be infected by viruses.


The Protectimus Flex programmable TOTP token sets itself apart from traditional hardware 2FA tokens with the ability to replace the factory-set secret key it comes with. You can connect a programmable OTP token to a service instead of a TOTP token generating app (Google Authenticator, etc.) if the service doesn't offer native support for hardware tokens (Office 365, PayPal, and so on).


The Protectimus Flex reprogrammable 2FA hardware token looks like a sporty key fob. It features a shock-, dust-, and moisture-resistant display. Put this two-factor authentication hardware token on your key ring and you'll never forget it at home or lose it (unless you forget or lose your keys, too).

Time synchronization

When a user adds a new secret key to a Protectimus Flex token,
the token's internal clock is set precisely to the current time

Protectimus Flex programmable TOTP tokens offer a time synchronization feature. When you add a new secret key to a programmable OTP hardware token Protectimus Flex, the Protectimus TOTP Burner app automatically sets the token's clock to the exact current time. This way, you can avoid the time desynchronization issues that can otherwise occur between an OATH TOTP hardware token and an authentication server.

According to the RFC 6238 standard, any clock drift between an OATH TOTP token and a two-factor authentication server is to be managed by the server. However, not every 2FA system developer adheres to this rule. This is why it's so important that a TOTP hardware authenticator's internal clock be set accurately when connecting it to a third-party two-factor authentication system. With the time synchronization feature in Protectimus Flex programmable OTP hardware tokens, the exact current time is set each time a token is programmed.


Frequently asked questions about the Protectimus Flex programmable OATH hardware token

How many secret keys can be programmed into a token?

A single programmable RFC 6238 hardware token Protectimus Flex can hold one secret key. In other words, you can use one hardware OTP token generator Protectimus Flex for two-factor authentication with one service. Each time you program a new secret key into the token, the old one is erased.

Do I need a smartphone for the OTP token to work?

No. An Android smartphone with NFC support is only required to program a secret key into the hardware token device. After that, the Protectimus Flex TOTP token works on its own. It doesn't connect to your phone or the internet in order to generate an MFA code (one-time password).

How much does the Protectimus Flex token cost?

The OTP token price depends on the size of the order. The larger the order, the lower the cost per one OTP authentication key. Tokens are available for orders as small as 1 unit. In this case, the cost of a single token is $19.99. Volume discounts are available for orders of 50 or more Protectimus Flex reprogrammable tokens.

Supported services

Services with which you can use the Protectimus Flex OTP token

If your service isn't in the list, don't worry; we may just have not gotten around to adding it. Send us a message and we'll let you know if your system supports the Protectimus Flex token.

Technical specifications

An OTP token is a device you always want to have on hand,
so the Protectimus Flex hardware OTP token was designed in a key fob format with dust and moisture resistance

6 digits with OTP code and battery life indicator

16.1 g (0.57 oz)

TOTP (time-based) IETF RFC 6238


OATH (Google Authenticator)

Operating temperature
-10°C to +50°C
(-14°F to +122°F)

Dust and water resistance
IP67 protection

Communication protocol

Times token can be reprogrammed
Unlimited (one token can hold a single secret key, but the secret key can be changed an unlimited number of times)

Time synchronization
Automatic, when programming a secret key

Token programming app
Available for Android

Battery life
Up to 5 years

Despite the product's tolerance of a wide range of operating conditions, we don't recommend subjecting it to extreme conditions.
This will extend its working life and avoid voiding the manufacturer's warranty

How to set up the Protectimus Flex token

Before setting up your token, log into your account on the service you want to secure and begin the process of activating two-factor authentication using a 2FA app (Google Authenticator, etc.)

Install the TOTP Burner app

To begin setting up a Protectimus Flex TOTP token, install the Protectimus TOTP Burner app on an Android smartphone that supports NFC. The app is available for free through Google Play.

Begin 2FA activation

Begin the process of activating two-factor authentication on the service you want to secure. From the authentication types available, choose to use a 2FA app (Google Authenticator).

Scan the secret key

When you see the QR code containing the secret key, scan it with the Protectimus TOTP Burner app. In the app, tap the "Burn the seed" button. Then, tap "Scan the QR code."

Program the token

Activate the Protectimus Flex TOTP hardware key (press its button). Place the token near the phone's NFC antenna and tap "Continue" to program the secret key into the OTP token.

Finish activating 2FA

To finish activating two-factor authentication, generate a one-time password with the hardware token and enter it into the service where you're setting up hardware token-based 2FA.


Possibility of branding
or orders of 1000+ pieces.

Cost: $1 per token


The Protectimus Flex programmable OTP token has a warranty of 12 months + 2 weeks from the time of purchase.

Tokens may be replaced under warranty provided that they are subjected to normal use only and in the absence of mechanical damage.


We offer worldwide shipping at a starting cost of $29.00.

Please note that when ordering large batches of tokens, the delivery price increases.