I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.
Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.
The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.
Edit to add RFC reference:
As defined in [RFC4226], the HOTP algorithm is based on the
HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an
increasing counter value representing the message in the HMAC
computation.
...
TOTP implementations MAY use HMAC-SHA-256or HMAC-SHA-512 functions,
based on SHA-256or SHA-512 [SHA2] hash functions, instead of the
HMAC-SHA-1function that has been specified for the HOTP computation
in [RFC4226].
Lemmy supports true standard totp. Those apps listed are the obscure ones, they do their own wacky shit with the standards
The implementation doesn’t verify that you can generate valid tokens before updating your account and doesn’t give you any backup recovery tokens.
I agree with that
I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.
Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.
The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.
Edit to add RFC reference:
As defined in [RFC4226], the HOTP algorithm is based on the HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an increasing counter value representing the message in the HMAC computation. ... TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226].In: https://datatracker.ietf.org/doc/html/rfc6238
Lmao, Authy and Google Authenticator are probably among the most popular 2FA apps around
“Embrace, Extend, Extinguish”
Fuck Google