I know that the microsoft authenticator sucks and simply defaults to TOTP.
My suspicion is, that Microsoft also sucks in generating a compliant QR code.
I know that freeotp also defaults to TOTP.
So my claim would be that Office305 simply creates a faulty QR code, which the privacyIDEA authenticator interprets correctly and the other authenticators interpred positive faulsly.
If you are willing to share the qr code, then we can verify my claim.
You should change the topic to Office365 generates non-standard qrcodes
The OTP apps are definitely not all created equal…
Especially if you don’t want TOTP (that requires accurate time).
Below is a QR code for a HOTP token that I just created on PI 3.2.2
It is recognized as TOTP by FreeOTP and generates faulty numbers.
Goggle Auth and PI app show the same and pass test on the PI server.
Unlike TOTP, with HOTP there is more than one “right” number (press next or reload in the app)
Another layer of discrepancy can be noted when using 8-characters tokens.
Also, FreeOTP on Android and iOS are not always the same…
Currently we are working on a rewrite of the app based on a framework that allows for easier customization. Interestingly enough, this does produce the same OTP values like FreeOTP.
So it looks like it very much depends on the used hash primitives, how they handle too short keys.
Again, nothing wrong with them, RSA SecurID tokens do only time-based OTP for years (their own proprietary, not TOTP standard). It just requires synchronized time on the server and mobile.
And that might be not be a given if you sandbox everything including the PI server…