Change OTP tokens from SHA-1 to SHA-256

Hi Vhince Chua,

Thank you for reaching out to Sophos Community.

Changing the Hash algorithm to SHA256 or SHA512 would not affect existing OTP users as their tokens were generated using the SHA1 algorithm. New OTP tokens will be generated with new configured Hash algorithm. Here is a snapshot for reference.

Hi Vhince

One important Information for you:

If the users use the Sophos Authenticator, there will be no problem with the new SHA256 Tokens.

But be careful with other authenticators.

Even very popular authenticators like the Microsoft Authenticator, which many users use for Azure/ Intune/ Office 365 MFA, are NOT capable to manage SHA256 Tokens!

See:

https://social.technet.microsoft.com/Forums/en-US/862fa575-468a-452c-b3cb-821bb054394e/does-the-microsoft-authenticator-app-support-the-digits-algorithm-and-period-fields?forum=MicrosoftAuthenticatorApp

https://github.com/neos-sdi/adfsmfa/issues/7

Greets from Hamburg, Germany

EDIT: This is the most interesting link - but it didn't work.

https://labanskoller.se/blog/2019/07/11/many-common-mobile-authenticator-apps-accept-qr-codes-for-modes-they-dont-support/

Hello 

Thanks for the screenshot you provided. Does it work with Microsoft Authenticator as Janbo Noerskau mentioned in this thread?

Regards

Thank you for the information. Make sense whether to decide to use the higher hash algorithm. Microsoft Authenticator is common in our place as a single all-around authenticator app.

Regards

Hi. I edited my post, because the link of labanskoller blog didn't work.

The functions of the different APPs are shown very well -> have a look!

The problem can only be seen at second glance when the offered OTPs do not work.
Most APPs import the key, but do not notice that they are not allowed to calculate SHA1 with them.
Result: No error message from the APP when scanning the barcode - but the OTP is incorrect.

Cheers, Janbo