diff --git a/Cargo.lock b/Cargo.lock
index eeac3bb..0e50802 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1999,7 +1999,7 @@ dependencies = [
  "jsonwebtoken",
  "log",
  "parking_lot",
- "rand 0.8.5",
+ "rand 0.9.0",
  "reqwest",
  "serde",
  "serde_json",
@@ -2969,7 +2969,7 @@ dependencies = [
  "once_cell",
  "p256",
  "parking_lot",
- "rand 0.8.5",
+ "rand 0.9.0",
  "reqwest",
  "serde",
  "serde_json",
diff --git a/Cargo.toml b/Cargo.toml
index 521bfae..b7fcbfa 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -24,6 +24,7 @@ jsonwebtoken = "9.3"
 log = { version = "0.4.27", features = ["std", "serde"] }
 once_cell = "1.21"
 parking_lot = "0.12.3"
+rand = "0.9.0"
 reqwest = { version = "0.12.15", default-features = false, features = ["json"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
diff --git a/deny.toml b/deny.toml
index 0cfbfe7..3a5f2a0 100644
--- a/deny.toml
+++ b/deny.toml
@@ -19,7 +19,7 @@ skip-tree = [
     { name = "rustix", version = "*" },
     { name = "security-framework", version = "2.11.1" }, # keyring uses old version
     { name = "thiserror", version = "1.0" },             # dialoguer uses old version
-    { name = "getrandom", version = "0.2.15" },          # rand uses old version
+    { name = "rand", version = "0.8.5" },                # p256 uses old version
 ]
 
 [sources]
diff --git a/lib/Cargo.toml b/lib/Cargo.toml
index 0da6791..3697a09 100644
--- a/lib/Cargo.toml
+++ b/lib/Cargo.toml
@@ -23,7 +23,7 @@ hyper.workspace = true
 jsonwebtoken.workspace = true
 log.workspace = true
 parking_lot.workspace = true
-rand = "0.8.5"
+rand.workspace = true
 reqwest.workspace = true
 serde.workspace = true
 serde_json.workspace = true
diff --git a/lib/src/mcu/auth/oauth2.rs b/lib/src/mcu/auth/oauth2.rs
index 3efede4..5378f3c 100644
--- a/lib/src/mcu/auth/oauth2.rs
+++ b/lib/src/mcu/auth/oauth2.rs
@@ -7,7 +7,7 @@ use async_trait::async_trait;
 use chrono::{DateTime, Utc};
 use jsonwebtoken::Header;
 use log::debug;
-use rand::Rng;
+use rand::{Rng, TryRngCore};
 use serde::ser::SerializeStruct;
 use tokio::sync::Mutex;
 
@@ -90,8 +90,8 @@ impl<'callback> OAuth2<'callback> {
     }
 
     fn generate_token_id() -> String {
-        let mut rng = rand::rngs::OsRng;
-        let bytes: [u8; 18] = rng.gen();
+        let mut rng = rand::rngs::OsRng.unwrap_err(); // Panic on OS-level RNG failure
+        let bytes: [u8; 18] = rng.random();
         hex::encode(bytes)
     }
 
diff --git a/test_helpers/Cargo.toml b/test_helpers/Cargo.toml
index 2cfb565..e3b33fc 100644
--- a/test_helpers/Cargo.toml
+++ b/test_helpers/Cargo.toml
@@ -17,7 +17,7 @@ log.workspace = true
 once_cell.workspace = true
 parking_lot.workspace = true
 p256 = "0.13.2"
-rand = "0.8.5"
+rand.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 serde_with.workspace = true
diff --git a/test_helpers/src/fs/config.rs b/test_helpers/src/fs/config.rs
index a3d69f5..837e8a5 100644
--- a/test_helpers/src/fs/config.rs
+++ b/test_helpers/src/fs/config.rs
@@ -2,9 +2,9 @@ use std::path::PathBuf;
 
 use chrono::{serde::ts_seconds_option, DateTime, Utc};
 use googletest::prelude::*;
+use p256::elliptic_curve::rand_core::OsRng;
 use p256::pkcs8::*;
 use p256::{ecdsa, pkcs8::LineEnding};
-use rand::rngs::OsRng;
 use serde::Serialize;
 use toml::{self, Value};