SHA512 OTP not working

[joosan]

When using Sophos UTM OTP functionality for VPN access it's working with the Google Authenticator app but only for SHA1 codes. We changed it to SHA512 and the OTP is no longer accepted by Sophos.

According to https://community.sophos.com/kb/en-us/126662 it may be the Google Authenticator app is not RFC compliant.

[ThomasHabets]

1) I'm not aware of any base32 issue that Sophos is referring to. 2) GA is RFC compliant (as far as I'm aware). 3) SHA512 support is not required by RFC4226 nor RFC6238[1].

Looking at what Sophos is actually saying, they don't seem to be saying that GA is not RFC compliant. The way I read it they make these claims:

1) Sophos is RFC compliant. (I'm not saying otherwise) 2) GA has a bug in some base32 code. (I'm not aware of that. They may be right, but it's too vague to do anything about. "There is an issue" is not an actionable bug report) 3) Sophos recommends you use something other than GA. (Fair enough, if GA has a bug or doesn't implement the optional SHA512) 4) If you do choose something else, make sure it's RFC compliant. (pretty obvious) 5) Very unhelpfully, Sophos doesn't even say which RFC they're referring to.

So Sophos is saying that there's a a bug they don't specify, and you should use an app that follows some unspecified RFC.

Not much I can do here.

[1]

   TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
   based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
   HMAC-SHA-1 function that has been specified for the HOTP computation
   in [RFC4226].

[ThomasHabets]

Oh, and I don't even know which platform this is for.

[joosan]

Thank you Thomas. Platform is Android and I'll report back to Sophos.

[ThomasHabets]

If they give you an answer with more details about just what's wrong with GA then please open a bug in the android repo.