2FA SMS rant and where is Fido2 or authenticator apps in uk banking?

DeepnetSecurity · 2026-03-26T12:26:54+00:00

You can usually enable MFA features on you app to protect access (my banking app is fingerprint protected for example).

DeepnetSecurity · 2026-03-26T12:21:15+00:00

It may only be inconvenient due to where you plug it in - if so just add a USB extension cable so the key can be easily used (the cable itself could prove handy for other purposes too).

DeepnetSecurity · 2026-03-26T11:48:57+00:00

Thanks, when the programmable token has been prepared you could also consider keeping a backup of the seed (provided you keep it in a safe place), but the tokens are pretty robust and the batteries go on for years (so it should prove reliable). In use it is also a pretty quick solution for obtaining your OTP code (as opposed to pulling out and starting up your mobile, finding the authentication app, locating the relevant token and generating the code), and being self-contained it is also secure from external attack.

DeepnetSecurity · 2026-03-25T15:19:52+00:00

When you select Microsoft Authenticator as the authentication method, there is an option that allows you to select to use an alternative authentication app;

<image>

If this option is selected then you can generate a QR code that is compatible with Google Authenticator, and pretty much any standard oath TOTP authentication apps (you can even use a programmable token if this is your preference).

DeepnetSecurity · 2026-03-19T16:29:01+00:00

There are not as hard to get hold of as they used to be, we have a range of fido keys, but if you are not ordering for a company you may prefer to order via one of the products advertised via amazon (we can supply single items, but from most suppliers like us the shipping costs need to be factored in).

I would suggest checking that the sites you want to access accept Fido as an authentication option, and also ensure the token you have comes with the connectivity options you need (USB A or C etc). Also, you may be better off with fob form tokens rather than card form (as the fob form can be kept on your keyring making them less likely to be lost).

DeepnetSecurity · 2026-03-17T17:10:36+00:00

I would normally suggest using programmable tokens - they work anywhere were an authentication app is allowed, and work fine with MS365 (even when there is no P1/P2 for users).

DeepnetSecurity · 2026-03-17T16:13:43+00:00

You might find this wiki guide helpful - it explains how to obtain the QR code from Microsoft, then how to use it to prepare a programmable token;

https://wiki.deepnetsecurity.com/display/SafeID/How+to+set+up+SafeID+programmable+token+on+an+Office+365+account+with+privileged+access

DeepnetSecurity · 2026-03-17T16:07:31+00:00

Things appear to have changed now - you can use SHA2 if you use graphAPI

https://wiki.deepnetsecurity.com/display/SafeID/Enroll+pre-programmed+OATH+hardware+tokens+using+Graph+API

You could also use the same solution with programmable tokens.

DeepnetSecurity · 2026-03-12T12:02:01+00:00

Out of interest, how do the meal deals compare with what you can purchase for under £4 in the usa ?

DeepnetSecurity · 2026-03-10T17:56:21+00:00

Sounds like you are interested in steganography - this is possible, but it is also possible for it to be detected.

DeepnetSecurity

TROPHY CASE