• Adam@lemmy.adambowl.es
    link
    fedilink
    arrow-up
    2
    arrow-down
    4
    ·
    1 year ago

    Lemmy supports true standard totp. Those apps listed are the obscure ones, they do their own wacky shit with the standards

    • Baron Von J@lemmy.world
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      The implementation doesn’t verify that you can generate valid tokens before updating your account and doesn’t give you any backup recovery tokens.

    • csm10495@sh.itjust.works
      link
      fedilink
      arrow-up
      8
      ·
      edit-2
      1 year ago

      I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.

      Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.

      The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.

      Edit to add RFC reference:

      As defined in [RFC4226], the HOTP algorithm is based on the
         HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an
         increasing counter value representing the message in the HMAC
         computation.
      
      ...
      
      
      TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
         based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
         HMAC-SHA-1 function that has been specified for the HOTP computation
         in [RFC4226].
      

      In: https://datatracker.ietf.org/doc/html/rfc6238