Tested Nov 23 2022
app | sha1-6 | sha256-6 | sha512-6 | sha1-8 | sha256-8 | sha512-8 | notes |
---|---|---|---|---|---|---|---|
google (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | |
google (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
microsoft (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | |
microsoft (apple) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | |
authy (android) | ✔️ | ❌ | ❌ | ✔️ | ❌ | ❌ | |
authy (apple) | ✔️ | ❌ | ❌ | ✔️ | ❌ | ❌ | |
authenticator app, 2fa (android) | ✔️ | ❌ | ❌ | ✔️ | ❌ | ❌ | |
authenticator app, 2fa (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
2fas (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Requires unique key data |
2fas (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Requires unique key data |
id.me (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
id.me (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
authenticator app - 2fa (android) | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | Cuts off first two digits for 8 digit codes |
authenticator app - 2fa (apple) | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | Cuts off first two digits for 8 digit codes |
TOTP Authenticator (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | Requires unique key data |
TOTP Authenticator (apple) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | Requires unique key data |
aegis (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
lastpass (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
lastpass (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
authenticator pro (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Requires unique key data |
authenticator (android) | ❌ | ❌ | ❌ | ❌ | ❌ | Time is not synchronized | |
authenticator (apple) | ❌ | ❌ | ❌ | ❌ | ❌ | Time is not synchronized | |
okta (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | |
okta (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
dashlane authenticator (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
dashlane authenticator (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
andotp (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
oracle authenticator (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
oracle authenticator (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
auth0 guardian (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
auth0 guardian (apple) | ✔️ | ❌ | ❌ | ✔️ | ❌ | ❌ | |
freeotp (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Has stopped scanning QR Codes on my phone |
freeotp (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
salesforce authenticator (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
salesforce authenticator (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
authenticator App (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
authenticator plus (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | guessed, the android version costs 2.99 |
authenticator plus (apple) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ |
Website | algorithm |
---|---|
Github | sha1-6 |
sha1-6 | |
Microsoft | sha1-6 |
GitLab | sha1-6 |
Atlassian | sha1-6 |
SalesForce | sha1-6 |
id.me | sha1-6 |
AWS | sha1-6 |
Okta | sha1-6 |
Auth0 | sha1-6 |
Redhat | sha1-6 |
sha1-6 | |
Zitadel | sha1-6 |
Firefox | sha1-6 |
PayPal | sha1-6 |
Kraken | sha1-6 |
Fedora | sha1-6 |
Per the TOTP RFC HMAC is the algorithm used. FIPS 180-4 defines SHA1 as an approved algorithm, FIPS 198-1 defines HMAC as an approved algorithm, the appendix for both state that NIST SP 800-107 discusses the security of these algorithms and when they can be used.
NIST SP 800-107 section 4.1 lists the algorithms defined in FIPS 180-4 and then discusses their properties in relation to security, specifically this paragraph is of note:
A hash function that is not suitable for one application might be suitable for other cryptographic applications that do not require the same security properties. SHA-1 is not suitable for general-purpose digital signature applications (as specified in FIPS 186-3) that require 112 bits of security. In the case of digital signatures, SHA-1 does not provide the 112 bits of collision resistance (see Table 1 in Section 4.2) needed to achieve the security strength. On the other hand, SHA-1 does provide the 112 bits of preimage resistance that is needed to achieve the 112-bit security strength for HMAC.
Per the RFCs RFC 6238.5 RFC 4226.B2 RFC 2104.6 The best attack on TOTP/HOTP/HMAC is to brute force the secret key which holds true regardless of the hash function used.
In 2020 'SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust' was published. On their website they still note that HMAC-SHA-1 remains unbroken.
We note that classical collisions and chosen-prefix collisions do not threaten all usages of SHA-1. In particular, HMAC-SHA-1 seems relatively safe, and preimage resistance (aka ability to invert the hash function) of SHA-1 remains unbroken as of today. Yet, as cryptographers we recommend to deprecate SHA-1 everywhere, even when there is no direct evidence that this weaknesses can be exploited.
It is shown that SHA 1 can be SHAttered with chosen pre-fix attacks but this does not propagate to HMAC-SHA1
First SHA1 was shattered. https://t.co/CnnYJiLtxP
— Moved to scottarc@infosec.exchange (@CiPHPerCoder) May 10, 2019
Now it's reduced to shambles.
It's time to stop using SHA1. (HMAC-SHA1 is still okay.)
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.htm
https://en.wikipedia.org/wiki/SHA-1
Currently currently there are very few attacks on HMAC HMAC-MD4 has an attack that does not rely on brute-forcing the secret key https://en.wikipedia.org/wiki/HMAC#Security
Dan Kaminsky has created the Little MAC Attack which is against HMAC-MD5 and depends on the attacker already knowing the secret key, but this is irrelevant for OTP[citation needed] and has listed at the beginning of the article:
THIS IS NOT A BREAK OF HMAC. THIS IS NOT A BREAK OF HMAC. THIS IS NOT A BREAK OF HMAC.