TOTP support for SHA256/512

cancel
Showing results for 
Search instead for 
Did you mean: 

TOTP support for SHA256/512

TOTP support for SHA256/512

The current TOTP implementation in Lastpass only generates SHA-1 keys. Can this be extended to support more algorithms, like SHA256 and SHA512? Websites and other services are moving away from SHA1 keys.

5 Comments
JohnAUK
LastPass Contributor

Hi bas_! If I understand the above correctly then this is already enabled in the LastPass Authenticator App. For example, on Android you can go to Add account > Add manually > Change standard settings > I understand > SHA1 / SHA256 / SHA512.

 

Let me know if I've misunderstood though?

bas_
Active Contributor

Hi @JohnAUK! We're using the TOTP function in the web vault/browser plugin, but we cannot change the session there. I assume the Lastpass Authenticator App does not use the same vault data/config?

JohnAUK
LastPass Contributor

Hi @bas_ ! If you select the 'edit' button for an account in your vault/browser and then enter the secret key in the filed titled 'One-time passcode' you will see the TOTP codes that are generated by the LastPass Authenticator - I believe that SHA1/256/512 are all supported but I'm currently checking with one of my teammates (All of these are definitely supported in the LastPass Authenticator App). If you have an Android device then you can get the secret key in your LastPass Authenticator App by selecting your TOTP code -- edit account --> secret key. We haven't launched this feature on iOS as yet though.

 

I hope that helps?

bas_
Active Contributor

Hello @JohnAUK , sorry for the late response. We are an active user of the web vault and browser plugins, but the functionality is missing there to change the hash algorithms. The only option is to add a TOTP using a secret key, but that still defaults to SHA-1 with no other modifications allowed.

JohnAUK
LastPass Contributor

OK I get you now thanks for explaining @Bas. I'll pass this on to the relevant team at LastPass as my primary focus is on the LastPass Authenticator itself. Great feedback though and thank you!