Change OTP tokens from SHA-1 to SHA-256

Question

Hi Everyone, 
 I want to know if there will be effect on existing users or connection using SHA1 generated tokens if it is change to a more secured Hash algorithm (SHA256 and SHA512)? 
 Setup s in production and it is applied to OTP facilities for User Portal, IPsec Remote Access, SSL VPN Remote Access and Hotspot 
 
 Regards

FormerMember · Accepted Answer

Hi Vhince Chua , 
 Thank you for reaching out to Sophos Community. 
 Changing the Hash algorithm to SHA256 or SHA512 would not affect existing OTP users as their tokens were generated using the SHA1 algorithm. New OTP tokens will be generated with new configured Hash algorithm. Here is a snapshot for reference.

Janbo Noerskau · Answer

Hi Vhince 
 One important Information for you: 
 If the users use the Sophos Authenticator, there will be no problem with the new SHA256 Tokens. 
 But be careful with other authenticators. 
 Even very popular authenticators like the Microsoft Authenticator, which many users use for Azure/ Intune/ Office 365 MFA, are NOT capable to manage SHA256 Tokens! 
 See: 
 https://social.technet.microsoft.com/Forums/en-US/862fa575-468a-452c-b3cb-821bb054394e/does-the-microsoft-authenticator-app-support-the-digits-algorithm-and-period-fields?forum=MicrosoftAuthenticatorApp 
 https://github.com/neos-sdi/adfsmfa/issues/7 
 Greets from Hamburg, Germany 
 EDIT: This is the most interesting link - but it didn't work. 
 https://labanskoller.se/blog/2019/07/11/many-common-mobile-authenticator-apps-accept-qr-codes-for-modes-they-dont-support/

Change OTP tokens from SHA-1 to SHA-256

Top Replies