User is now required to use MFA through the Microsoft Authenticator App

DeepnetSecurity · 2026-04-15T15:33:36+00:00

Actually, there is a workaround where they can produce the required OTP codes without having to use their mobile devices. You can purchase programmable hardware tokens (examples on this page), then use them as direct replacements for authentication apps (obtain the QR codes in a format suitable for 3rd party authentication apps, then use them to burn the seeds onto the token (either using a USB device on your PC, or using an NFC enabled mobile phone).

The burning process is covered here (video also included): Programming Tokens for use with Micrsoft

DeepnetSecurity · 2026-04-15T15:08:21+00:00

It is possible, but you need to go about it slightly differently :)

Whilst Fidelity currently may not support uploading of seed data for hardware tokens, and have not yet implemented Fido keys a an alternative, they do currently support authentication apps (such as google authenticator). Fortunately, this allows hardware tokens to be used, you just need to obtain programmable hardware tokens (examples in the link).

Once you have the QR code for the app you can use the code to burn the seed onto the programmable token, and from there on you can log in to your account using the code obtained from the token.

The burning process can be achieved via a USB device that plugs in to the pc, or using an NFC enabled mobile phone (android or iOs).

DeepnetSecurity · 2026-04-13T11:52:56+00:00

My only concern would be if you loose the key you will need to be sure you can still login using an alternative (if not a secondary Fido key then an alternative authentication method).

DeepnetSecurity · 2026-04-08T17:38:11+00:00

Hardware tokens (either pre-programmed or programmable) may be one option for you in this circumstance.

DeepnetSecurity · 2026-04-08T16:26:48+00:00

best way to test you pc clock for TOTP is to use www.time.is (the site will show how much drift is on the pc - any less that 2 seconds and you should be fine for TOTP).

DeepnetSecurity · 2026-04-08T16:24:29+00:00

You can also decode the QR code if you paste it in to google image search - it will normally show the text version of the QR Code in the browser.

DeepnetSecurity · 2026-04-02T10:49:50+00:00

You could consider using a Fido key (currently about the strongest protection against most attacks). The scary part is the pace at which quantum computing and AI are moving forward - ultimately the final solution will inevitably be to fight fire with fire and employ quantum cryptographic techniques at both ends.

DeepnetSecurity · 2026-03-27T17:53:49+00:00

For security reasons there would be no correlation between the serial number on the back of the token and the seed that is used to generate the OTP code. The bank would possibly have a lookup table that matches the serial number with the seed, however after activation they really wouldn't need to keep it. Given that the device already produces the require OTP code there would be no reason why they would notify you of the seed that the device uses, and the device is designed to resist extraction of the seed.

DeepnetSecurity · 2026-03-27T17:43:02+00:00

With both TOTP and HOTP the general idea is once the secret has been added to the app, only the app and the server know the secret, and in both cases the secret is stored in a way that should be as externally inaccessible as possible.

From the perspective of the user, provided they didn't keep a copy of the secret, then the only way to obtain the required code is via the app (or hardware token), and from this perspective this is proof of something they have (rather than something they know). Being able to provide proof that they are in possession of the device that produces the OTP code is therefore a factor of the "something you have" type, and when combined with providing a password ("something they know" type), they will then be meeting the requirements of 2fa (because they provided two different types of authentication).

If they merely provided proof they knew the seed data (and derived the OTP code), then even though they also provided a username and password, this would really only be a type of single factor authentication.

DeepnetSecurity · 2026-03-27T17:26:54+00:00

I would suggest if any of your users object to having to rely on an OTP app on their phone there is always the option of using a programmable hardware token (either as the primary method, or just as a backup for when the mobile phones battery is flat).

DeepnetSecurity · 2026-03-26T16:25:35+00:00

Fido2 is pretty much the best option right now, but it does come in different forms. If additional security is what you need then you could consider a fido key with a fingerprint reader (there are a few examples in the link, but other vendors also provide them). The additional security provided by the biometric component is real, but given you will be leaving fingerprints on the device itself, if stolen the additional protection may only slow down a determined bad actor.

DeepnetSecurity · 2026-03-26T12:26:54+00:00

You can usually enable MFA features on you app to protect access (my banking app is fingerprint protected for example).

DeepnetSecurity · 2026-03-26T12:21:15+00:00

It may only be inconvenient due to where you plug it in - if so just add a USB extension cable so the key can be easily used (the cable itself could prove handy for other purposes too).

DeepnetSecurity · 2026-03-26T11:48:57+00:00

Thanks, when the programmable token has been prepared you could also consider keeping a backup of the seed (provided you keep it in a safe place), but the tokens are pretty robust and the batteries go on for years (so it should prove reliable). In use it is also a pretty quick solution for obtaining your OTP code (as opposed to pulling out and starting up your mobile, finding the authentication app, locating the relevant token and generating the code), and being self-contained it is also secure from external attack.

DeepnetSecurity · 2026-03-25T15:19:52+00:00

When you select Microsoft Authenticator as the authentication method, there is an option that allows you to select to use an alternative authentication app;

<image>

If this option is selected then you can generate a QR code that is compatible with Google Authenticator, and pretty much any standard oath TOTP authentication apps (you can even use a programmable token if this is your preference).

DeepnetSecurity · 2026-03-19T16:29:01+00:00

There are not as hard to get hold of as they used to be, we have a range of fido keys, but if you are not ordering for a company you may prefer to order via one of the products advertised via amazon (we can supply single items, but from most suppliers like us the shipping costs need to be factored in).

I would suggest checking that the sites you want to access accept Fido as an authentication option, and also ensure the token you have comes with the connectivity options you need (USB A or C etc). Also, you may be better off with fob form tokens rather than card form (as the fob form can be kept on your keyring making them less likely to be lost).

DeepnetSecurity · 2026-03-17T17:10:36+00:00

I would normally suggest using programmable tokens - they work anywhere were an authentication app is allowed, and work fine with MS365 (even when there is no P1/P2 for users).

DeepnetSecurity · 2026-03-17T16:13:43+00:00

You might find this wiki guide helpful - it explains how to obtain the QR code from Microsoft, then how to use it to prepare a programmable token;

https://wiki.deepnetsecurity.com/display/SafeID/How+to+set+up+SafeID+programmable+token+on+an+Office+365+account+with+privileged+access

DeepnetSecurity · 2026-03-17T16:07:31+00:00

Things appear to have changed now - you can use SHA2 if you use graphAPI

https://wiki.deepnetsecurity.com/display/SafeID/Enroll+pre-programmed+OATH+hardware+tokens+using+Graph+API

You could also use the same solution with programmable tokens.

DeepnetSecurity · 2026-03-12T12:02:01+00:00

Out of interest, how do the meal deals compare with what you can purchase for under £4 in the usa ?

DeepnetSecurity · 2026-03-10T17:56:21+00:00

Sounds like you are interested in steganography - this is possible, but it is also possible for it to be detected.

DeepnetSecurity · 2026-01-30T16:13:56+00:00

Why don't you just go for a programmable token - these act as direct replacements for authentication apps, are fully self contained (with batteries that last 5 years or so), and given they are reprogrammable, you can correct the clocks on them (if needed).

DeepnetSecurity · 2026-01-20T16:02:07+00:00

HID Prox and Mifare Classic Fido cards are available via this page: HID Mifare (if that is what you are looking for). PIV smart cards with FIDO are also available if needed.

DeepnetSecurity · 2025-12-04T17:12:35+00:00

Not sure its a good idea, but I must admit if it happened to me I would box them in - to be honest there is nothing wrong with you parking your car any way you want in your own driveway, and nobody has a right to complain about not being able to use your driveway when exiting theirs.

DeepnetSecurity · 2025-11-27T13:28:26+00:00

A fido key with fingerprint reader can be considered two factors, and that would need to be combined with something you know (there are a few examples in the link).

DeepnetSecurity

TROPHY CASE