Does not comply with RFC 6238
k-a-z-u opened this issue · comments
Frank Ebner commented
According to RFC 6238 three different hashes are allowed.
Issue 1:
As stated in the readme.md, only SHA1 is supported. SHA256 and SHA512 are not.
Issue 2:
When scanning a QR-Code with SHA256/SHA512 it is still ACCEPTED. The user is to believe that everything works as expected. But the GA happily provides invalid codes.
Other Apps from the Play Store work correctly.
Thomas Habets commented
TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
HMAC-SHA-1 function that has been specified for the HOTP computation
in [RFC4226].
SHA256/SHA512 are optional. Only SHA1 is required for RFC compliance.
Thomas Habets commented
(also this repo does not involve the Android app, which I assume you mean since you say "Play Store")