[daghamm]

This is very useful to anyone writing TOTP tools, big thanks to the author.

However, reading the article this section caught my eye:

"As we now know, SHA-1 has some fundamental weaknesses. ... But the TOTP authors disagree and allow a for some different algorithms to be used."

With significant compute resources SHA1 can be broken for some use cases, but I don't think this is one of them. Is HN aware of any practical attacks against TOTP-SHA1?

[matthewdgreen]

HMAC-SHA1 is not broken as a pseudorandom function. SHA1 is only broken for collision-resistance for the moment. That doesn't mean it's great, or that you shouldn't upgrade.

[daghamm]

Given that nobody uses TOTP with Sha256 today I assume there is no real reason to upgrade.

But has anyone actually reaserached this? For all we know, using hma-sha256 in TOTP may actually make it less secure.

[jrootabega]

Do you think that the technique of using the last 4 bits to choose a further pseudorandom 31 bits from the rest of the hash MIGHT mitigate SOME future weakness as a PRNG? Or do you have confidence it is completely useless? Or neither, of course.

[matthewdgreen]

I think it's weird. Either you trust your output to be pseudorandom or you don't. These weird hacks may be fine, but they feel like adding "safety" duct tape onto the wings of a passenger jet.

[pedvide]

Not sure if you are aware of speed tape https://en.m.wikipedia.org/wiki/Speed_tape

Passenger jets can fly with duct tape on their wings

[matthewdgreen]

I meant it more as a "this should hold the wings on just in case they're not well fastened" kind of analogy.