The Messy State of TOTP: A Test Suite is Born
2025-03-02
The current TOTP specification is riddled with inconsistencies. Major implementations by Google, Apple, and Yubico subtly disagree on its implementation, leading to idiosyncratic variants in various MFA apps. The official RFC is frustratingly vague. The author built a test suite to check if your favorite app correctly implements the TOTP standard, highlighting ambiguities in digit count, hash algorithm, time step, secret length, and labeling. The author calls for improved specifications to prevent future issues.
Development