The standard for TOTP is SHA-1, but a handful of website use SHA-256 for whatever reason. Add support for SHA-256.
GitHub Issue: 2FA - TOTP not correct on Kraken.com · Issue #454 · bitwarden/clients · GitHub
We can control this though the use of the otpauth:// uri scheme which allows setting algorithm, digit length, period, etc. See Key Uri Format · google/google-authenticator Wiki · GitHub
“for whatever reason” is probably at least because a practical SHA-1 collision has been achieved and SHA-1 is now being deprecated in many of its previous uses (i.e. SSL certificiates).
Per RFC 6238:
TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226].
to be fair sha256 and 512 is almost nowhere used and wont be for a while
sha1 is still safe for totp. 30 sec timewindows for a sha1 collision is practical impossible.
very differnt to ssl implementations where sha1 became and open door
I was sad to discover that I cannot use the TOTP functionality due to the lack of these parameters (specifically the amount of digits).
Is it likely that this will be implemented at some point?
Yes, this is planned. No ETA though.
This will be available in the next versions of the apps. Supports parameters digits (1-10), algorithm (sha1, sha256, and sha512), period (> 0) and secret (base32 key). Learn more about using otpauth:// urls here: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
Example:
otpauth://totp/Test:me?secret=JBSWY3DPEHPK3PXP&algorithm=sha256&digits=8&period=60
If you only provide the secret key, we default to the standard parameters of sha1, 6 digits, 30 sec period.
JBSWY3DPEHPK3PXP