Does not comply with RFC 6238

google / google-authenticator

Open source version of Google Authenticator (except the Android app)

Apache License 2.0

5.17k stars 966 forks source link

Does not comply with RFC 6238 #696

Closed k-a-z-u closed 4 years ago

k-a-z-u commented 4 years ago

According to RFC 6238 three different hashes are allowed.

Issue 1: As stated in the readme.md, only SHA1 is supported. SHA256 and SHA512 are not.

Issue 2: When scanning a QR-Code with SHA256/SHA512 it is still ACCEPTED. The user is to believe that everything works as expected. But the GA happily provides invalid codes.

Other Apps from the Play Store work correctly.

ThomasHabets commented 4 years ago

   TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
   based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
   HMAC-SHA-1 function that has been specified for the HOTP computation
   in [RFC4226].

SHA256/SHA512 are optional. Only SHA1 is required for RFC compliance.

ThomasHabets commented 4 years ago

(also this repo does not involve the Android app, which I assume you mean since you say "Play Store")