Skip to content
This repository has been archived by the owner. It is now read-only.

Algorithm not being set properly #29

Open
jameshilliard opened this issue Jul 31, 2015 · 5 comments
Open

Algorithm not being set properly #29

jameshilliard opened this issue Jul 31, 2015 · 5 comments

Comments

@jameshilliard
Copy link

@jameshilliard jameshilliard commented Jul 31, 2015

otpauth://totp/ckpool:ckolivas?secret=46PABKV2HL2BYL5P&algorithm=SHA256&issuer=BitclubPool

I'm setting the SHA256 parameter in the above example but google-authenticator doesn't seem to be using it correctly(it works fine in the Red Hat FreeOTP app). I'm setting the parameter based off of this readme.

@fjt37
Copy link

@fjt37 fjt37 commented Apr 19, 2018

+1

This is also broken for SHA512. The android google authenticator app just seems to ignore the algorithm altogether and just uses SHA1 every time. (Android 8.1.0)

@mrl99
Copy link

@mrl99 mrl99 commented Apr 19, 2018

+1

Encountering the same issue. Works on my IPhone 7 but not on Pixel 2 or SSG S7

@mrl99
Copy link

@mrl99 mrl99 commented Apr 19, 2018

Tried it on Google Authenticator, Authy, and Duo Mobile, and all 3 used the SHA1 even when parameterized for SHA256

@ThomasHabets
Copy link
Contributor

@ThomasHabets ThomasHabets commented Apr 19, 2018

I'm downgrading this to a feature request since the RFC says:

TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226].

And RFC4226 just says SHA-1.

@labanskoller
Copy link

@labanskoller labanskoller commented Jul 11, 2019

I agree that HMAC-SHA-256 and HMAC-SHA-512 support is not required to fulfill the standards, but I strongly recommend to reject those algorithms instead of just accepting the QR codes and let the users wonder why it doesn't work. There should be proper error messages. Note that I haven't tested the open source version, but it's a problem in the Google Play version for sure.

But Google Authenticator is not alone. Out of eight tested apps on Android and iOS only Sophos has full support on both platforms. Symantec does a good job too when they reject all modes they don't support.

https://labanskoller.se/blog/2019/07/11/many-common-mobile-authenticator-apps-accept-qr-codes-for-modes-they-dont-support/

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants