Does not comply with RFC 6238

Question

Does not comply with RFC 6238

k-a-z-u opened this issue 4 years ago · comments

According to RFC 6238 three different hashes are allowed.

Issue 1:
As stated in the readme.md, only SHA1 is supported. SHA256 and SHA512 are not.

Issue 2:
When scanning a QR-Code with SHA256/SHA512 it is still ACCEPTED. The user is to believe that everything works as expected. But the GA happily provides invalid codes.

Other Apps from the Play Store work correctly.

Thomas Habets · Answer 1 · Wed Apr 15 2020 16:05:29 GMT+0800 (China Standard Time)

   TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
   based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
   HMAC-SHA-1 function that has been specified for the HOTP computation
   in [RFC4226].

SHA256/SHA512 are optional. Only SHA1 is required for RFC compliance.

Thomas Habets · Answer 2 · Wed Apr 15 2020 16:06:29 GMT+0800 (China Standard Time)

(also this repo does not involve the Android app, which I assume you mean since you say "Play Store")