Hardware TOTP for AWS: Reiner SCT tanJack Deluxe

Even when safely storing your MFA tokens using the Token2 Molto-2 device, some things are not quite optimal. You have to use special Windows-only software to program new accounts, it is not PIN-protected, and things could be better in terms of usability.

If you have a bit more of a budget, the Reiner SCT tanJack Deluxe might solve your problems. Let’s have a look at this device.


The tanJack Deluxe offers a streamlined experience for managing your MFA tokens. To add a new one, use the integrated camera to take a picture of the QR code, just like with your phone. You will then be able to change the title and user name displayed on the device, and you are ready to go.

All this is made extremely easy by the device’s touch screen, allowing easy management. You can also pin often-used accounts as favorite to quickly access them. While there is no official statement on the maximum capacity for MFA tokens, the vendor lists it as “100+”, which puts it on par with the Molto 2.

tanJack Deluxe (image by Reiner SCT)

A device like this won’t have the extensive battery life of a minimalist device as the competition offers, but Reiner SCT thought ahead and bundles a USB-C connected charging cradle to make this easier.


Other devices openly display current MFA codes on their display, meaning if someone gets access to the device, they can just use them.

With the tanJack Deluxe, you can set a PIN for accessing the TOTP functionality. And, as this is a secure device, entering the wrong PIN five times in a row will automatically wipe the device.

This additional protection makes it highly secure, especially as all USB connectivity only uses the charging pins, and there is no data connectivity at all.

But if you ever used an embedded device, this will immediately result in one question: How would you update the device firmware if there are any bugs? Reiner SCT uses the same mode as with other QR-capable readers: they offer a “QR Code Movie” for their devices. You can enter the device firmware update mode and let it ingest new code using the camera.

Currently there is no firmware update available, but I expect Reiner SCT as a security-conscious company to use some code signing to avoid attacks where manipulated firmware is uploaded.

Addon Benefits

One main criticism about the usual Gemalto devices is the problem of time drift. If the onboard RTC clocks get sufficiently out of sync with the remote website, its codes will not work anymore.

For this case, Reiner SCT offers a specific web page where the device time can be updated. Again, a QR code is recorded with the camera to resynchronize time. An critical security feature is that the QR code does not simply include the time because this would allow getting codes from the past/future using a manipulated code.

The main purpose of the device is not generating TOTP MFA codes at all - it is primarily a device for secure banking. As such, you can insert your bank card into its card reader slot and generate TANs for online banking (ChipTAN QR and Sm@rt-TAN photo). You can check the list of supported (German) banks on the vendor’s page.


So is it worth it?

The device is double the price of the previously presented Molto-2 - around 80 Euro currently. On the other hand, its convenience and added security make this a much better device to keep your MFA as secure as possible. It is about twice the size of the Molto-2, though, so it is a bit of a hassle if you want to carry it around.

In my case, the Reiner SCT tanJack Deluxe has replaced my other means of MFA code generation. As suggested in my post of the Molto-2 device, I do keep backup data on an IronKey if this device ever fails or gets lost.

If you want to secure your most valuable accounts, like AWS root access, this device is probably a better alternative to individual tokens or other devices.

Similar Posts You Might Enjoy

Hardware TOTP for AWS: Molto-2

Everybody knows you should protect your AWS accounts (and other logins) with MFA against brute-force attacks. Most of the account providers use a standardized algorithm (RFC 6238) to generate the famous six-digit TOTP codes for your login. But where do you store those securely? Today, we will look at the alternatives and a specific device: The Molto-2. - by Thomas Heinen

Using Permission Boundaries to balance Security and Developer Productivity

There is a conflict between developer freedom and the requirements of security teams. In this post we’ll look at one approach to address this tension: permission boundaries. They’re an often overlooked part of IAM, but provide a valuable addition to our security toolkit. - by Maurice Borgmeier

AWS Access Management uncovered: Where do all those 403s come from?

In this blog post, I would like to show you the various types of AWS permission management capabilities to generate a better understanding, where access denied API errors (403) may arise from and what ample options there are to grant permissions. One should be familiar with IAM policies to get the most out of the blog. - by Dr Felix Grelak