samdjstevens
Add warning about apps that don't support alternative hashing algorithms
Add some warnings in the README about using SHA256 and SHA512, with a list of known apps that do and don't support them.
I just wanted to give you a heads up that after testing, Google Authenticator on Android doesn't support SHA256 or SHA512. I also believe that Duo Security on iOS doesn't support SHA256 or SHA512, but I am not 100% sure on that.
Copied across from - https://github.com/samdjstevens/java-totp/issues/27#issuecomment-591537004
Apps that work with SHA-256 and SHA-512 Android
- Oracle Mobile Authenticator
- Auth0 Guardian
- Sophos Authenticator
- FreeOTP Authenticator
iOS
- Oracle Mobile Authenticator
- IBM Verify
- Sophos Authenticator
- FreeOTP Authenticator
And apps that appear to not support SHA-256
- Google Authenticator
- Microsoft Authenticator
- LastPass Authenticator
- Duo Mobile
- Authy
- 2FAS Auth
Hey, I tried to use this library but no success.
I ended up using Keycloak implementations, adapting it a little bit.
Just in case this helps somebody, the URL that made it work with Google Authenticator and Microsoft Authenticator is something like this (used for creating the QR code):
otpauth://<type>/<issuer>:<username>?secret=<secret>&digits=6&algorithm=SHA1&issuer=<issuer>&period=30
Where type is "totp" or "hotp". (in my case "totp" because it's based on time)
Issuer and username will be displayed at the app and secret is just you secret in plain text.
