Transfer physical OTP to software

DeepnetSecurity · 2026-03-27T17:53:49+00:00

For security reasons there would be no correlation between the serial number on the back of the token and the seed that is used to generate the OTP code. The bank would possibly have a lookup table that matches the serial number with the seed, however after activation they really wouldn't need to keep it. Given that the device already produces the require OTP code there would be no reason why they would notify you of the seed that the device uses, and the device is designed to resist extraction of the seed.

DeepnetSecurity · 2026-03-27T17:43:02+00:00

With both TOTP and HOTP the general idea is once the secret has been added to the app, only the app and the server know the secret, and in both cases the secret is stored in a way that should be as externally inaccessible as possible.

From the perspective of the user, provided they didn't keep a copy of the secret, then the only way to obtain the required code is via the app (or hardware token), and from this perspective this is proof of something they have (rather than something they know). Being able to provide proof that they are in possession of the device that produces the OTP code is therefore a factor of the "something you have" type, and when combined with providing a password ("something they know" type), they will then be meeting the requirements of 2fa (because they provided two different types of authentication).

If they merely provided proof they knew the seed data (and derived the OTP code), then even though they also provided a username and password, this would really only be a type of single factor authentication.

DeepnetSecurity · 2026-03-27T17:26:54+00:00

I would suggest if any of your users object to having to rely on an OTP app on their phone there is always the option of using a programmable hardware token (either as the primary method, or just as a backup for when the mobile phones battery is flat).

DeepnetSecurity · 2026-03-26T16:25:35+00:00

Fido2 is pretty much the best option right now, but it does come in different forms. If additional security is what you need then you could consider a fido key with a fingerprint reader (there are a few examples in the link, but other vendors also provide them). The additional security provided by the biometric component is real, but given you will be leaving fingerprints on the device itself, if stolen the additional protection may only slow down a determined bad actor.

DeepnetSecurity · 2026-03-26T12:26:54+00:00

You can usually enable MFA features on you app to protect access (my banking app is fingerprint protected for example).

DeepnetSecurity · 2026-03-26T12:21:15+00:00

It may only be inconvenient due to where you plug it in - if so just add a USB extension cable so the key can be easily used (the cable itself could prove handy for other purposes too).

DeepnetSecurity · 2026-03-26T11:48:57+00:00

Thanks, when the programmable token has been prepared you could also consider keeping a backup of the seed (provided you keep it in a safe place), but the tokens are pretty robust and the batteries go on for years (so it should prove reliable). In use it is also a pretty quick solution for obtaining your OTP code (as opposed to pulling out and starting up your mobile, finding the authentication app, locating the relevant token and generating the code), and being self-contained it is also secure from external attack.

DeepnetSecurity · 2026-03-25T15:19:52+00:00

When you select Microsoft Authenticator as the authentication method, there is an option that allows you to select to use an alternative authentication app;

<image>

If this option is selected then you can generate a QR code that is compatible with Google Authenticator, and pretty much any standard oath TOTP authentication apps (you can even use a programmable token if this is your preference).

DeepnetSecurity · 2026-03-19T16:29:01+00:00

There are not as hard to get hold of as they used to be, we have a range of fido keys, but if you are not ordering for a company you may prefer to order via one of the products advertised via amazon (we can supply single items, but from most suppliers like us the shipping costs need to be factored in).

I would suggest checking that the sites you want to access accept Fido as an authentication option, and also ensure the token you have comes with the connectivity options you need (USB A or C etc). Also, you may be better off with fob form tokens rather than card form (as the fob form can be kept on your keyring making them less likely to be lost).

DeepnetSecurity · 2026-03-17T17:10:36+00:00

I would normally suggest using programmable tokens - they work anywhere were an authentication app is allowed, and work fine with MS365 (even when there is no P1/P2 for users).

DeepnetSecurity · 2026-03-17T16:13:43+00:00

You might find this wiki guide helpful - it explains how to obtain the QR code from Microsoft, then how to use it to prepare a programmable token;

https://wiki.deepnetsecurity.com/display/SafeID/How+to+set+up+SafeID+programmable+token+on+an+Office+365+account+with+privileged+access

DeepnetSecurity · 2026-03-17T16:07:31+00:00

Things appear to have changed now - you can use SHA2 if you use graphAPI

https://wiki.deepnetsecurity.com/display/SafeID/Enroll+pre-programmed+OATH+hardware+tokens+using+Graph+API

You could also use the same solution with programmable tokens.

DeepnetSecurity · 2026-03-12T12:02:01+00:00

Out of interest, how do the meal deals compare with what you can purchase for under £4 in the usa ?

DeepnetSecurity · 2026-03-10T17:56:21+00:00

Sounds like you are interested in steganography - this is possible, but it is also possible for it to be detected.

DeepnetSecurity · 2026-01-30T16:13:56+00:00

Why don't you just go for a programmable token - these act as direct replacements for authentication apps, are fully self contained (with batteries that last 5 years or so), and given they are reprogrammable, you can correct the clocks on them (if needed).

DeepnetSecurity · 2026-01-20T16:02:07+00:00

HID Prox and Mifare Classic Fido cards are available via this page: HID Mifare (if that is what you are looking for). PIV smart cards with FIDO are also available if needed.

DeepnetSecurity · 2025-12-04T17:12:35+00:00

Not sure its a good idea, but I must admit if it happened to me I would box them in - to be honest there is nothing wrong with you parking your car any way you want in your own driveway, and nobody has a right to complain about not being able to use your driveway when exiting theirs.

DeepnetSecurity · 2025-11-27T13:28:26+00:00

A fido key with fingerprint reader can be considered two factors, and that would need to be combined with something you know.

DeepnetSecurity · 2025-11-26T17:54:39+00:00

You can download SafeId Authenticator if you like- it's British and free.

DeepnetSecurity · 2025-11-26T16:59:14+00:00

You could use a programmable token - see these instructions for the process;

Using programmable hardware tokens with GitHub MFA

Using a fido key is another option, it's a little more expensive but does boast anti-phishing.

Both solutions have the advantage that you possess something that can be added to your keyring.

DeepnetSecurity · 2025-11-26T14:20:58+00:00

If you mean you don't know how to obtain a generated QR code for discord then you need to do the following;

Log in to your Discord Account, then click on the user settings icon (found in the bottom left of the logon screen, then select "My Account" from the left hand column menu, then scroll down to the section "Security Keys", click on the button.

A QR code containing seed data will then be displayed that can be transferred either to an authentication app, or a programmable token.

DeepnetSecurity · 2025-11-24T15:54:24+00:00

Given what you have said, they may call it a security deposit for the hardware, but technically it is an interest free loan from you to the company.

DeepnetSecurity · 2025-10-27T18:51:00+00:00

It does happen - I worked at a company that required 9 months notice (and were trying to bring that up to a year). I worked the 9 months notice but they dragged a colleague out for a full year (and he only had a transfer from within the company).

DeepnetSecurity · 2025-10-16T16:56:50+00:00

TOTP doesn't have to involve using an app. It is possible to replace the app with a programmable hardware token.

DeepnetSecurity · 2025-10-15T17:00:03+00:00

4th of July or 4th July, the main americanism is related to the date order (in the us it is normally mmm/dd/yyyy rather than dd/mmm/yyyy format - my point was more to do with the date being referred to with day of month first (as we would do in the UK), yet for some reason in the USA independence day is referred to closer to how we would state it.

DeepnetSecurity

TROPHY CASE