Richard Bucker

OTP Troubleshooting

Posted at — Sep 2, 2021

There must be over 100 OTP authenticator applications on the Google Play Store. Unfortunately only 4 or 5 have the trusted checkmark and so that leaves me to wonder what the others are doing. From my personal experience today I have come to the conclusion that [a] if google does not trust them I’m not [b] there must be some problem with the functionality of those that are trusted but some odd reason has not been fixed [c] since TOTP and HOTP are well documented and with the exception of bugs do not have compatibility issues… when why? [d] there are people trying to steal your credentials just like some/many of the commercial VPN providers.

My reading has led me to the fact that Microsoft Authenticator and Google Authenticator support the default SHA-1 algorithm. (the algorithm in embedded in the QR-code). However when any other algorithm is presented they fallback to SHA-1.

According to the RFC(s) and some talking heads SHA-1 is sufficient.

I tried twilio authy, however, I needed to provide a phone number. And there was a whatsapp/text message account verification step… and they REALLY wanted me to backup my token. Unfortunately the GUI was clunky in other ways and seemed to be SHA-1 all over again.

Next I tried the Yubico authenticator. It recognized the token right away but I could not test it because they depend on having a Yubikey to store the tokens. And I have no idea if the algorithm will work as above and I do not feel like experimenting at the cost of $70.

Lastly I happen to know that FreeOTP will work. I’ve been using it for a while now and while it does the job it’s just not very good. First of all there is no way to export keys or backup/restore in order to change phones. Since I do that about every 18 months I do not want to keep asking my company’s system admin for a new token for the new phone. But unless MS or Google fix their tools… this is where I’m stuck.