I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.
Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.
The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.
Edit to add RFC reference:
As defined in [RFC4226], the HOTP algorithm is based on the
HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an
increasing counter value representing the message in the HMAC
computation.
...
TOTP implementations MAY use HMAC-SHA-256or HMAC-SHA-512 functions,
based on SHA-256or SHA-512 [SHA2] hash functions, instead of the
HMAC-SHA-1function that has been specified for the HOTP computation
in [RFC4226].
I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.
Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.
The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.
Edit to add RFC reference:
As defined in [RFC4226], the HOTP algorithm is based on the HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an increasing counter value representing the message in the HMAC computation. ... TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226].In: https://datatracker.ietf.org/doc/html/rfc6238