Vulnerabilities

[MarvinHannott]

Though the standard allows for the use of SHA-1, it shouldn't be used to generate an OTP due to the discovered collission. Google Authenticator uses SHA-256 which is secure.

Also the function for verification isn't constant time so an attacker could perform a timing-attack.

I would be happy in assisting to close those vulnerabilities.