Open hevanaa opened 7 years ago
The site also allowed selecting SHA256 and SHA512 for HOTP, even though it is not mentioned in the standard. But as said in comments in the above stackexchange page, as HOTP is virtually same as TOTP, nothing would be wrong using the algorithms there too.
I'll look into implementing the additional hashing algorithms, but I can't give you any timeframe when it will happen, since I'm quite busy with other stuff at the moment.
I stumbled upon a site that let me choose TOTP algorithm between SHA1, SHA256 or SHA512. Only SHA1 worked.
According to https://security.stackexchange.com/a/45906, using HMAC-SHA-256 or HMAC-SHA-512 for RFC 6238 (TOTP) is within the scope of the standard (section 1.2). Not for HOTP, though. RFC 4226 only allows HMAC-SHA-1.