Supported Authenticators

[knighthawkbro]

Looks like Google Authenticator (GA) only support SHA1 URIs even though it says it support 256/512. I have tested it with a few other authenticators on iPhone:

Not working:

• Microsoft Authenticator (SHA512)
• DUO (SHA512)
• Authy (SHA512)

Working:

• Lastpass Authenticator (SHA1/256/512+8 Digits)
• Authenticator (512+8 Digits)
• Google Authenticator (SHA1)
• 1Password TOTP (SHA512 & 8 Digits, tested @nugget)

Is there any problem with the Base32 padding or URI encoding that could be preventing other apps from working properly?

I saw this article that GA has a potential problem and recommends using their authenticator for their Sophos firewall. Let me know what you think.

EDIT: Funny how Google helped with the SHA1 Collision Attack and Google Authenticator still only supports SHA1. Is there any problem to that?

[nugget]

Google Authenticator explicitly does not support SHA256 or SHA512. It only supports SHA1.

From the GA docs:

Currently, the algorithm parameter is ignored by the Google Authenticator implementations.

Similarly, Google Authenticator only supports 6 digit codes:

Currently, the digits parameter is ignored by the Google Authenticator implementations.

I have tested the function of this library using SHA512 as the algorithm using 1Password's TOTP feature and it worked fine. It also works with 8 digit codes without any problems.