Closed k-a-z-u closed 4 years ago
TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
HMAC-SHA-1 function that has been specified for the HOTP computation
in [RFC4226].
SHA256/SHA512 are optional. Only SHA1 is required for RFC compliance.
(also this repo does not involve the Android app, which I assume you mean since you say "Play Store")
According to RFC 6238 three different hashes are allowed.
Issue 1: As stated in the readme.md, only SHA1 is supported. SHA256 and SHA512 are not.
Issue 2: When scanning a QR-Code with SHA256/SHA512 it is still ACCEPTED. The user is to believe that everything works as expected. But the GA happily provides invalid codes.
Other Apps from the Play Store work correctly.