Closed jnweiger closed 7 months ago
reproduced with 0.8.1
@IljaN is this a real security issue? or just apps complain to have a better option?
It seems it's possible to configure sha1 (default), sha256 and sha512 as algorithms to be used by sending an additional algorithm
parameter in the otpauth url (which is encoded in the QR).
The problem is that we'll need to check the code coming from the mobile using the same algorithm, so we'll have to store the algorithm used somewhere in the DB.
I think this will need several changes in the app because supporting different algorithms doesn't seem to be planned.
Note that switching directly to a different algorithm isn't possible:
We'll have to figure out how we can let the users choose whatever algorithm they want to use.
From a security perspective, I think it's fine.
The only place where the algorithm is relevant is when the client sends the generated totp code to the server. For the rest of the workflow, the algorithm used doesn't matter. Assuming that someone gets the code sent from the client, the only way to get the secret is by brute force. This is regardless of the algorithm used.
I guess sha256 and sha512 are considered better because the are slower, so in case of a brute force attack it will take more time to figure out the secret. However, in terms of overall security I guess it's the same. Maybe that's why neither Google nor Microsoft have support for those in their apps.
I'm not a security expert, so maybe I'm wrong.
@hodyroff fyi @IljaN
@DeepDiver1975 Take a seond look, thx
With the latest version of FreeOTP it is no longer possible to add the QR code. @IljaN @jnweiger can you please test as well if possible? THX
Latest Version (for me) from PlayStore: v2.0.2 (43), it is still possible to add the Token.
Since supported algorithms are vary based on the used authenticator app we would need to ask the user to choose an algo. This is by far user friendly. SHA1 is the agreed default as per specs. Let's just continue to use this as is.
To be re-evaluated in 2024
Tested with andOTP 0.9.0.1-play: - works just fine. No complains. Tested with 2FA Authenticator (2FAS) 5.1.0: - works just fine. No complains.
As far as I can tell, FreeOTP was only mentioned once in https://owncloud.com/news/how-to-use-two-factor-authentication-with-the-owncloud-desktop-client-or-mobile-apps/#setup-your-second-authentication-factor
2FA Auhtenticator is more prominently mentioned in https://doc.owncloud.com/webui/next/classic_ui/personal_settings/security.html#two-factor-authentication Maby we should also mention andOTP there?
Seen with twofactor_totp-0.8.0-rc.2 on core 10.12.2 using Android FreeOTP Version 2.0.1 (42)
When clicking use anyway, the protocol works fine. Google authenticator accepts the code without warnings.
Expected behaviour: