SHA hashlib (TOTP in Authy)

GoogleAuth only supports SHA1 tokens for TOTP/HOTP. However, Authy can do SHA256.

When we use SHA256 for TOTP, the resulting token fails in Authy. Curiously, the token info appears to ambiguously mention both (conflicting?) hashlibs. (It doesn’t matter if user-selectable or enforced by totp_hashlib policy.)

What are we missing to make SHA256 tokens that work in Authy?

If hashlib and totp.hashlib exist, the hashlib takes precedence.

Try and scan the qr code with the privacyIDEA Authenticator.
Copy the link of the qrcode and use oathtool to calculate the sha256 otp value. You will see, that it is correct.

Authy is wrong.

Authy is indeed wrong. More info on OATH tool in case anyone is interested…

1 Like

Thanks a lot for confirming. The question remains, what authy is missing.

There are a lot of authenticators out there, that do not support the whole spectrum of possible parameters like

  • HOTP or TOTP
  • 30 secs or 60 sec
  • sha1, sha256, sha512

To my knowledge the privacyIDEA Authenticator is the only one, that supports all of the possible parameters.

Some authenticators really are annoying, since they do not complain, if they hit a parameter, which they do not support, like the Microsoft Authenticator: If it scans a QR code, that contains an HOTP token, it simply and silently turns it into a TOTP token…

…but what would you expect :wink:

When I tried Microsoft Authenticator shortly after its release, it was not supporting 8-digits tokens.
Scanning the QR pic would produce a completely different (wrong) token…

FreeOTP was the one that worked for me and was cross platform (Android and iOS).

1 Like

Take a look at the privacyIDEA authenticator - works with all tokens and settings.

I do now.
That was the time when the privacyIDEA app was Android only…

Long gone. The iOS App is now versoin 2.0 and also comes with the push token.