Why is the shared secret used in libpam only 80 bits?

[ThomasHabets]

Original issue 340 created by terrycwk1994 on 2013-11-07T02:52:37.000Z:

The code in libpam/google-authenticator.c defines the shared secret to be 80 bits.

define SECRET_BITS 80 // Must be divisible by eight

This appears not to conform with RFC 42261 that states:

R6 - The algorithm MUST use a strong shared secret. The length of
the shared secret MUST be at least 128 bits. This document
RECOMMENDs a shared secret length of 160 bits.

I suggest that the code be patched to modify this to 160 bits, which conforms with the recommendation by RFC 4226 and is what Google is using for 2FA with their own services.

[ThomasHabets]

Migrated comment:

http://security.stackexchange.com/questions/45053/why-does-google-cripple-the-2fa-google-authenticator-pam-module

[ThomasHabets]

Comment #1 originally posted by akshay@10gen.com on 2013-11-24T19:19:21.000Z:

http://security.stackexchange.com/questions/45053/why-does-google-cripple-the-2fa-google-authenticator-pam-module

[ThomasHabets]

Comment #2 originally posted by akshayk on 2013-11-27T01:54:19.000Z:

http://security.stackexchange.com/questions/45053/why-does-google-cripple-the-2fa-google-authenticator-pam-module

[ThomasHabets]

This issue was moved to google/google-authenticator-libpam#18