I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.
Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.
The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.
Edit to add RFC reference:
As defined in [RFC4226], the HOTP algorithm is based on the
HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an
increasing counter value representing the message in the HMAC
computation.
...
TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
HMAC-SHA-1 function that has been specified for the HOTP computation
in [RFC4226].
Lemmy supports true standard totp. Those apps listed are the obscure ones, they do their own wacky shit with the standards
I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.
Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.
The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.
Edit to add RFC reference:
In: https://datatracker.ietf.org/doc/html/rfc6238
The implementation doesn’t verify that you can generate valid tokens before updating your account and doesn’t give you any backup recovery tokens.
I agree with that
Lmao, Authy and Google Authenticator are probably among the most popular 2FA apps around
“Embrace, Extend, Extinguish”
Fuck Google