TOTP strange behavior with sha256 and Google Authenticator

Good morning,

we’re testing privacyIDEA (community edition) in our environment.

  • Linux Ubuntu 22.04 LTS
  • privacyIDEA 3.9-1jammy (ubuntu package)

As reported in the token creation screen, under the SHA drop-down menu, not all authentication apps support sha256 and sha512…
So we’ve tried many authentication apps, and tested the scanning of the QR code created with sha1 (default) and with sha256.
These apps works fine with SHA-1 and SHA-256:

  • privacyidea authenticator (open source)
  • 2FAS auth (open source)
  • freeotp (open source)

These other apps works with SHA1 but don’t work with SHA-256, don’t generating the correct OTP codes with the sha256 algorithm:

  • Microsoft authenticator
  • Google authenticator

Reading the TOTP string inside the QRcode generated by privacyIDEA, the content is like:
otpauth://totp/TOTP00082AC6?secret=P0T4…FCQ&algorithm=sha256&period=30&digits=6&issuer=test%20aaa%20-%20username
If we try to scan the QR code, apps like Microsoft and Google Authenticator generate the same wrong OTP codes (the same OTP generated with sha1).

Why the otpauth string does contain “sha256” written in lowercase?
RFC6238 (received by Google Authenticator) uses uppercase to identify the algorithm: SHA1, SHA256, SHA512 (the same strings are in the Google Authenticator readme (https://github.com/google/google-authenticator/blob/master/mobile/ios/README)

Actually, if we try to generate (with a QR encoder) a new QR code containing the string with the algorithm written in capital letters (SHA256), like:
otpauth://totp/TOTP00082AC6?secret=P0T4…FCQ&algorithm=SHA256&period=30&digits=6&issuer=test%20aaa%20-%20username
Google Authenticator works.

Is there any uppercase function not working inside privacyIDEA?

Thanks

So it looks like privacyIDEA should create a QRCode-String containing an uppercase SHA256, right?
Would you mind opening an issue at github?

1 Like