• csm10495@sh.itjust.works
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    1 year ago

    I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.

    Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.

    The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.

    Edit to add RFC reference:

    As defined in [RFC4226], the HOTP algorithm is based on the
       HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an
       increasing counter value representing the message in the HMAC
       computation.
    
    ...
    
    
    TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
       based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
       HMAC-SHA-1 function that has been specified for the HOTP computation
       in [RFC4226].
    

    In: https://datatracker.ietf.org/doc/html/rfc6238