Research

Your 2fa is likely SHA1SSE

SHA1-based TOTP 2FA vulnerable to attacks? Improve security with stronger hashing algorithms like SHA-256 & SHA-512. Research on Authenticator app support shows limited support for stronger hashing. Keycloak, AWS Cognito, and others use SHA-1 by default. CoGuard's application discovery tools help identify misconfigurations and reduce exposure risk.

Albert Heinle
Written by
Albert Heinle

2FA via Authenticator App: The TOTP algorithm and its legacy

We all use them nowadays without thinking much: Authenticator applications.

There are a variety of two factor authentication (2FA) Authenticator applications available:

One of the reasons for the breadth of available applications the functionality of Time based One Time Password algorithm (TOTP) is so simple. The applications require:

  •  a secret key, 
  • an initial time-stamp  
  • and some additional meta-information is created and shared through a QR code. 

Then the (usually) 6-digit numbers that change every 30 seconds (this duration can be configured) are basically truncated HMAC authentication tokens with a secret key and the current counter value as a message.

The HMAC portion requires a hash algorithm to be used. The year the RFC6238 came out was 2011 (and the underlying HOTP RFC was published in 2005), and it is surprising that SHA1 has been chosen and SHA256 and up are put as something implementations “may use”. The reason it is surprising is because SHA1 was already marked as deprecated that year by NIST. In 2017, a group of researchers published a significant improvement to attacking the SHA1 hashing algorithm compared to birthday attacks.

While it is not entirely quick and easy to find SHA1 collisions, it is a matter of time until further improvements are made, and keeping relying on SHA1 as the underlying hash algorithm is not a good idea.

Authenticator Clients & Authentication Servers

From the introduction, you can probably already deduce two sides of the problem when trying to improve the security here:

  1. The server needs to be able to support other hashing algorithms than SHA1
  2. The authenticator apps need to be able to support other hashing algorithms than SHA1

Let’s look at the server-side first.

Authentication Server Solutions 

Most authentication server providers do not give their users the option to configure a more secure hashing algorithm including SHA-256 or greater. 

Figure 1: Authentication / Identity Server SHA Algorithm Supported
Provider SHA-1 SHA-256 SHA-512 Default Comments
Keycloak SHA-1 Supports the setting of SHA-256 and SHA-512, but defaults to SHA1 (documentation).
AWS Cognito  -  - SHA-1 Does not support anything above SHA1 (see here).
Okta / Auth0  -  - SHA-1 Does not specify a way to change the algorithm, so it is safe to assume that SHA1 is used (the authenticator apps all work as discussed in the Client Application section).
ActiveDirectory / Entra  -  - SHA-1 Does not provide an option to change the hash algorithm, but defaults to SHA-1 (documentation).

Authenticator Client Applications

The support for stronger hashing on the application end is limited. We conducted research on Authenticator application support for stronger hashing including SHA-1, SHA-256 and SHA-512. 

Client authenticator applications were tested in a test environment with a Keycloak version 24.0.3. 

Figure 2: Authenticator Client SHA Algorithm support
Client SHA-1 SHA-256 SHA-512 Comments
Google Authenticator  
FreeOTP  
Authy  -  - **Only able to support SHA1
Duo  -  - **Only able to support SHA1
MSFT Authenticator  -  - **Only able to support SHA1

** As of May 6, 2024. 

A ticking time-bomb and how we help

It appears that it is only a matter of time until someone creates a curated attack for the SHA-1 based TOTP design. It would be an interesting research problem, also given that an attacker may be able to collect a few samples.

We expect the different software providers and applications to increase their support, especially through some compliance pressure, i.e., NIST retiring SHA-1 support for US Federal Government by Dec 31, 2029

At CoGuard, we don’t want this exposure to go unnoticed for the next 5 years. We provide tools for customers to identify applications and configurations to reduce misconfiguration risk. CoGuard application provides application, container and network discovery tools to automate the identification of the configurations for used and unused applications in an infrastructure. CoGuard extracts the configurations for all of the above Authentication and Identity Providers. And produces configuration warnings if we detect either a specifically configured SHA-1 algorithm for 2fa, or if a software on the server-side is being used which does not support setting the hash algorithm to anything but SHA-1 (see e.g. Cognito).

Photo by Ed Hardie on Unsplash

Explore a test environment

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out and explore a test environment to run infra audits on sample repositories of web applications and view select reports on CoGuard's interative dashboard today.