Closed zem closed 1 year ago
Agreed, we should probably update this. The reason for using sha1 was that it seems to be the default in FreeIPA and in our testing it was supported by most mobile OTP client applications.
Hello @aebruno
Do you know if it's still in the pipes to change the default algorythm at least to sha256? (Of course having the choice between sha1/sha256/sha512 could be cool)
Regards,
@Jonathan-Caruana Yes, it's in the works. Hoping to release a new version of mokey soon.
@aebruno Glad to read !
I will be attentive for the next version.
Thank you for your quick reply and for your work.
Regards,
Is there a particular reason that OTP tokens are generated using sha1 rather than sha256 or sha512?
https://github.com/ubccr/mokey/blob/56aba60d5580a88d4399b41b97dc80f33adcd040/server/otp.go#L172
As sha1 is considered insecure as a hash algorythm, I would suggest to go for sha256.