Tested Nov 23 2022
| app | sha1-6 | sha256-6 | sha512-6 | sha1-8 | sha256-8 | sha512-8 | notes |
|---|---|---|---|---|---|---|---|
| google (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| google (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| microsoft (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| microsoft (apple) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| authy (android) | ✔️ | ❌ | ❌ | ✔️ | ❌ | ❌ | |
| authy (apple) | ✔️ | ❌ | ❌ | ✔️ | ❌ | ❌ | |
| authenticator app, 2fa (android) | ✔️ | ❌ | ❌ | ✔️ | ❌ | ❌ | |
| authenticator app, 2fa (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| 2fas (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Requires unique key data |
| 2fas (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Requires unique key data |
| id.me (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| id.me (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| authenticator app - 2fa (android) | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | Cuts off first two digits for 8 digit codes |
| authenticator app - 2fa (apple) | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | Cuts off first two digits for 8 digit codes |
| TOTP Authenticator (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | Requires unique key data |
| TOTP Authenticator (apple) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | Requires unique key data |
| aegis (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| lastpass (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| lastpass (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| authenticator pro (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Requires unique key data |
| authenticator (android) | ❌ | ❌ | ❌ | ❌ | ❌ | Time is not synchronized | |
| authenticator (apple) | ❌ | ❌ | ❌ | ❌ | ❌ | Time is not synchronized | |
| okta (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| okta (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| dashlane authenticator (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| dashlane authenticator (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| andotp (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| oracle authenticator (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| oracle authenticator (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| auth0 guardian (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| auth0 guardian (apple) | ✔️ | ❌ | ❌ | ✔️ | ❌ | ❌ | |
| freeotp (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Has stopped scanning QR Codes on my phone |
| freeotp (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| salesforce authenticator (android) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| salesforce authenticator (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| authenticator App (apple) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| authenticator plus (android) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | guessed, the android version costs 2.99 |
| authenticator plus (apple) | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Website | algorithm |
|---|---|
| Github | sha1-6 |
| sha1-6 | |
| Microsoft | sha1-6 |
| GitLab | sha1-6 |
| Atlassian | sha1-6 |
| SalesForce | sha1-6 |
| id.me | sha1-6 |
| AWS | sha1-6 |
| Okta | sha1-6 |
| Auth0 | sha1-6 |
| Redhat | sha1-6 |
| sha1-6 | |
| Zitadel | sha1-6 |
| Firefox | sha1-6 |
| PayPal | sha1-6 |
| Kraken | sha1-6 |
| Fedora | sha1-6 |
Per the TOTP RFC HMAC is the algorithm used. FIPS 180-4 defines SHA1 as an approved algorithm, FIPS 198-1 defines HMAC as an approved algorithm, the appendix for both state that NIST SP 800-107 discusses the security of these algorithms and when they can be used.
NIST SP 800-107 section 4.1 lists the algorithms defined in FIPS 180-4 and then discusses their properties in relation to security, specifically this paragraph is of note:
A hash function that is not suitable for one application might be suitable for other cryptographic applications that do not require the same security properties. SHA-1 is not suitable for general-purpose digital signature applications (as specified in FIPS 186-3) that require 112 bits of security. In the case of digital signatures, SHA-1 does not provide the 112 bits of collision resistance (see Table 1 in Section 4.2) needed to achieve the security strength. On the other hand, SHA-1 does provide the 112 bits of preimage resistance that is needed to achieve the 112-bit security strength for HMAC.
Per the RFCs RFC 6238.5 RFC 4226.B2 RFC 2104.6 The best attack on TOTP/HOTP/HMAC is to brute force the secret key which holds true regardless of the hash function used.
In 2020 'SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust' was published. On their website they still note that HMAC-SHA-1 remains unbroken.
We note that classical collisions and chosen-prefix collisions do not threaten all usages of SHA-1. In particular, HMAC-SHA-1 seems relatively safe, and preimage resistance (aka ability to invert the hash function) of SHA-1 remains unbroken as of today. Yet, as cryptographers we recommend to deprecate SHA-1 everywhere, even when there is no direct evidence that this weaknesses can be exploited.
It is shown that SHA 1 can be SHAttered with chosen pre-fix attacks but this does not propagate to HMAC-SHA1
First SHA1 was shattered. https://t.co/CnnYJiLtxP
— Moved to scottarc@infosec.exchange (@CiPHPerCoder) May 10, 2019
Now it's reduced to shambles.
It's time to stop using SHA1. (HMAC-SHA1 is still okay.)
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.htm
https://en.wikipedia.org/wiki/SHA-1
Currently currently there are very few attacks on HMAC HMAC-MD4 has an attack that does not rely on brute-forcing the secret key https://en.wikipedia.org/wiki/HMAC#Security
Dan Kaminsky has created the Little MAC Attack which is against HMAC-MD5 and depends on the attacker already knowing the secret key, but this is irrelevant for OTP[citation needed] and has listed at the beginning of the article:
THIS IS NOT A BREAK OF HMAC. THIS IS NOT A BREAK OF HMAC. THIS IS NOT A BREAK OF HMAC.