I'm working with a customer who is having issues in their tenant with different authenticator applications. They've tried Microsoft, Google and ID.me and none work when specifying sha-256 or sha-512 hash algorithm. I did see this issue with the Microsoft authenticator. I kept getting invalid code  with both the sha-256 and sha-512 but worked fine with sha-1. Google and id.me worked with both sha-256 and sha-512. Has anyone else seen this issue?

------------------------------
Garren Linker
------------------------------

You should configure the otpauth URL to include "&algorithm=SHA256", so that the TOTP authenticators can switch to the non-default algorithm.
In my experience, the IBM Verify app and id.me do consider the algorithm in the otpauth URL, so they are able to calculate correct TOTPs, but MS & Google authenticator simply ignore the algorithm and always calculate based on SHA1, which of course creates wrong TOTPs. So I'm wondering that the Google authenticator worked for you; I just did a test with the current Android based Google authenticator, and it failed.

------------------------------
Frank Thurau
------------------------------

Original Message:
Sent: Tue July 19, 2022 03:55 PM
From: Garren Linker
Subject: Authenticator application issues using sha-256 or sha-512


I'm working with a customer who is having issues in their tenant with different authenticator applications. They've tried Microsoft, Google and ID.me and none work when specifying sha-256 or sha-512 hash algorithm. I did see this issue with the Microsoft authenticator. I kept getting invalid code  with both the sha-256 and sha-512 but worked fine with sha-1. Google and id.me worked with both sha-256 and sha-512. Has anyone else seen this issue?

------------------------------
Garren Linker
------------------------------