Compatibility with Authy using sha256

[deanc]

Hi Rob,

It's mentioned in the docs about adjusting the algorithm from the default sha1. We are in a position we can insist our users use Authy for example, and from a quick google it seems it should support this algorithm, but I can't get codes from Authy verified if I set the algorithm to sha256. Only sha1 works. Can you clarify the situation here? What string exactly should I be supplying there?

BR, Dean

[RobThree]

Which algorithms are supported can be found here in the source code and here in the README (though I admit, I should've summed up all options there done).

When I use the code:

$tfa = new TwoFactorAuth('MyApp', 6, 30, 'sha256');

The TOTP codes generated by Google Authenticator, FreeOTP and Lastpass work for me. Authy doesn't, neither does Microsoft's Authenticator.

Though technically SHA256 is 'safer', it's only (very) marginally safer. If it were up to me I'd stick with the most compatible SHA1 algorithm providing the best service to your users being free to use any of the many authenticator apps out there.

and from a quick google it seems it should support this algorithm

Do you have a source / link for me?

[deanc]

Thanks Rob. I reached out to Authy to ask about this after writing this issue. It's pretty awful they just ignore the algorithm without an error and return you sha1 codes.

Maybe it would be useful to have a separate markdown document in the Wiki or something detailing which apps support which algos :)

By the way, the wiki redirects me to the repository home right now so I guess it's not enabled?

[RobThree]

Maybe it would be useful to have a separate markdown document in the Wiki or something detailing which apps support which algos :)

Meh, that only means more stuff to keep up-to-date. I think a general comment ("make sure you test if you insist on using anything other than SHA1") is better.

By the way, the wiki redirects me to the repository home right now so I guess it's not enabled?

It's not.

[deanc]

I kind of see your point, but if it were on the wiki I presume anyone could keep that info up to date - not you :)?

[RobThree]

I kind of see your point too but, in my experience, wiki's don't get updated that often unless it's a -very- popular library. And it might potentially 'cost' some 'customers' if the wiki says X is not supported when it actually is (now). So I'm kind of on the fence on this. Let me think about it for a bit 😉

[RobThree]

Also, @deanc, would you happen to have the source stating Authy supports sha256? I would love to see/verify it, maybe set the authors straight (too).

[deanc]

It doesn't support it, but it doesn't tell you that it doesn't support it. That's the problem :)

[willpower232]

FWIW a github wiki can only be edited by those with push permission on the repo itself so isn't a great collaborative space. A markdown page in the repo code itself is much easier for a community to support.

[tunnckoCore]

I can confirm, it DOESN'T support sha256

i'm moving away from it anyway