danmarsden
commented
4 months ago as mentioned on #383 closing this as "won't fix" in the older branches for now - Moodle now includes the mfa plugin in the core release and so feature/improvements need to land in Moodle core "first". We can backport stuff that lands upstream in Moodle core - so if you get this change into Moodle's core release, feel free to re-open this again for further consideration.
The secret key length of the TOTP factor should be 128 bits as requested by RFC 4226, section 4, requirement 6. As at least one TOTP app, FreeOTP, shows nasty warnings about a weak key when using only 80 bit key length. This commit increases the key length to 128 bit without breaking the compatibility to already existing 80 bit keys in the database for users that have setup TOTP before this change. This solves issue #383