Towards a test-suite for TOTP codes

Because I'm a massive nerd, I actually try to read specification documents. As I've ranted ad nauseam about the current TOTP spec being irresponsibly obsolete. The three major implementations of the spec - Google, Apple, and Yubico - all subtly disagree on how it should be implemented. Every other MFA app has their own idiosyncratic variants. The official RFC is infuriatingly vague. That's no good for a security specification. Multiple implementations are great, multiple interpretations are not. So I've built a nascent test suite - you can use it to see if your favourite app can correctly implement the TOTP standard. Please do contribute tests and / or feedback. Here's what the standard actually says - see if you can find apps which don't implement it correctly. Time-based One Time Passwords are based on HOTP - HMAC-Based One-Time Password. HOTP uses counters; a new password is regularly generated. TOTP uses time as the counter. At the time of writing this post, there have been a ... Read full article.