TOTP Hash Algorithms: SHA-1 vs SHA-256
Compare SHA-1, SHA-256, and SHA-512 hash algorithms for TOTP. Understand security implications, compatibility with authenticator apps, and when to use each algorithm.
Detailed Explanation
Hash Algorithm Selection for TOTP
RFC 6238 specifies three HMAC algorithms for TOTP: HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512. While SHA-1 is the default and most widely supported, stronger algorithms offer additional security margins.
Algorithm Overview
| Algorithm | Hash Output | HMAC Key Size | Recommended Secret |
|---|---|---|---|
| SHA-1 | 160 bits | 20 bytes | 20 bytes |
| SHA-256 | 256 bits | 32 bytes | 32 bytes |
| SHA-512 | 512 bits | 64 bytes | 64 bytes |
The secret key should match the hash function's block size for optimal HMAC security. Using a shorter secret is allowed but provides less cryptographic strength.
Is SHA-1 Still Safe for TOTP?
SHA-1's collision resistance has been broken (the SHAttered attack in 2017), but this does not affect its use in HMAC. The security of HMAC-SHA1 depends on the pseudorandom function (PRF) properties of SHA-1, which remain intact:
- HMAC-SHA1 is not vulnerable to collision attacks
- The attack surface for TOTP is brute-forcing the output (6 digits = 10^6 possibilities), not the hash
- NIST and RFC 6238 still consider HMAC-SHA1 acceptable for OTP applications
That said, using SHA-256 or SHA-512 provides a defense-in-depth advantage and future-proofs the implementation.
Compatibility Matrix
Not all authenticator apps support all algorithms:
- Google Authenticator: SHA-1 only (ignores algorithm parameter in some versions)
- Authy: SHA-1, SHA-256, SHA-512
- FreeOTP: SHA-1, SHA-256, SHA-512
- Microsoft Authenticator: SHA-1 (SHA-256 support varies by platform)
- 1Password: SHA-1, SHA-256, SHA-512
Specifying the Algorithm
The algorithm is set in the otpauth:// URI:
otpauth://totp/Example:user@example.com?secret=BASE32SECRET&algorithm=SHA256
Valid values: SHA1 (default), SHA256, SHA512.
Recommendation
- Default to SHA-1 for maximum compatibility with all authenticator apps
- Use SHA-256 if your user base uses modern apps (Authy, FreeOTP, 1Password)
- Use SHA-512 only for internal/enterprise systems where you control the authenticator
- Always test with your target authenticator apps before deploying
Use Case
Security engineers evaluating TOTP configurations for their organization need to understand the practical differences between hash algorithms. This is relevant during security audits where SHA-1 usage may be flagged, when designing an enterprise 2FA system that uses a controlled authenticator app, or when interpreting penetration test findings that recommend upgrading from SHA-1. The key insight is that HMAC-SHA1 remains secure for TOTP despite SHA-1 collision vulnerabilities.