diff --git a/packages/wallet-client/CHANGELOG.md b/packages/wallet-client/CHANGELOG.md
index 4d8f5ef..3f2ab29 100644
--- a/packages/wallet-client/CHANGELOG.md
+++ b/packages/wallet-client/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Replace `Math.random()` with `crypto.getRandomValues()` for OTP generation
 - Validate peer public keys during session creation ([#70](https://github.com/MetaMask/mobile-wallet-protocol/pull/70))
 - Fix client stuck in CONNECTING state when session creation fails ([#70](https://github.com/MetaMask/mobile-wallet-protocol/pull/70))
 
diff --git a/packages/wallet-client/src/handlers/untrusted-connection-handler.ts b/packages/wallet-client/src/handlers/untrusted-connection-handler.ts
index 2b9e0fd..500a279 100644
--- a/packages/wallet-client/src/handlers/untrusted-connection-handler.ts
+++ b/packages/wallet-client/src/handlers/untrusted-connection-handler.ts
@@ -47,7 +47,9 @@ export class UntrustedConnectionHandler implements IConnectionHandler {
 	 * @returns An object containing the OTP string and its deadline
 	 */
 	private _generateOtpWithDeadline(): { otp: string; deadline: number } {
-		const otp = Math.floor(100000 + Math.random() * 900000).toString();
+		const buf = new Uint32Array(1);
+		globalThis.crypto.getRandomValues(buf);
+		const otp = (100000 + (buf[0] % 900000)).toString();
 		const deadline = Date.now() + this.otpTimeoutMs;
 		return { otp, deadline };
 	}