Test Token is not working if `isGoogle: false`

[jxstxn1]

I tested the package with the following page: https://2fas.com/check-token/ The generated secret is '2FASTEST'. Weirdly, the Package only generates the right OTP if I set isGoogle to true even if it's not a Google OTP

[daegalus]

That is expected behavior because that site probably uses Google-standard OTP by default

Google OTP does not follow the RFC standard, and does things differently. Most sites/tools default to the Google OTP Standard to make it easy for users and minimize incompatibility. This library defaults to the RFC spec, and allows Google style when needed.

In this case here isGoogle isn't specific to just Google Authenticator or Google them selves, it means Use Google's standard for OTP, not the RFC

[jxstxn1]

Thanks for the answer, this gave me a lot of clarity. Is there a good way checking if an OTP is from google?

A potential way would be showing the User the Google and RFC Code and ask him which one is the right one. But this seems kinda bad for the User Experience

[daegalus]

No, there really isn't. It is why everyone defaults to Google's. The key difference between RFC and GOogle is Google forces Base32 encoding (it will fail decoding if it has non-base32 characters or isn't the right length to decode properly).

The other is the padding. Google pads by just repeating the secret over and over until it gets to the right length. RFC doesn't do any sort of padding and expects you to get the right sized secret.

There is also SHA1 vs SHA256 differences. I forget which but I think Google uses SHA256 and RFC uses SHA1.

It is a giant mess. Would be so much easier if the RFC was updated to modern standards, or if the GOogle standard got formally created, so it can be easier to deal with.

Right now its a bunch of branching logic to change how it behaves based on things.

But in general it is safe to assume that it is a Google standard OTP.

[jxstxn1]

Thank you for the answer and clarification :)