Implementing TOTP two-factor authentication in 2025
a year ago
- #Authentication
- #TOTP
- #Security
- TOTP (Time-based One-Time Passwords) is currently the most popular second-factor authentication method, excluding SMS due to SIM-swapping vulnerabilities.
- A 2019 analysis revealed that many authenticators accepted unsupported parameters, leading to incorrect code generation, forcing services to use default security parameters for interoperability.
- Testing in 2025 shows mixed support for SHA1 and SHA256 algorithms across various authenticators, with some still defaulting to SHA1 despite SHA256 being specified.
- Google Authenticator on iOS rejects SHA1 with 52-character keys but accepts SHA256 with 32-character keys, highlighting inconsistencies.
- Recommendations for site owners remain unchanged from 2019: use SHA1, 32-character keys, 30-second periods, and 6-digit codes for broad compatibility.
- Additional security practices include avoiding plaintext storage of TOTP secrets, implementing recovery mechanisms like scratch codes, and tracking used codes.
- Including optional parameters like 'image' and 'color' in URIs can enhance user experience without causing issues, as most clients ignore them.