Why is TOTP two-factor digits behaviour different between Android and iOS implementations of Google Authenticator?
I have the below QR code generated from my application so users can use their phones for a time-based OTP. For Google Authenticator in iOS, scanning the QR code correctly leads to an eight-character time-based OTP generating every 30 seconds. However, on the exact same Google Authenticator in Android, it incorrectly generates a six-character string instead.
I have provided the sample string and QR code below (it's from a test system) - does anyone know why the implementation of the functionality differs between the exact same app on Android and iOS, or alternatively where I can find developer documentation for either the
otpauthprotocol or Google Authenticator itself (both seem thin on the ground and I've had to take what I can from tutorials)?
Sample QR Code:
While the Play Store version of Google Authenticator is proprietary, there is also https://github.com/google/google-authenticator-android .
Browsing through its wiki for https://github.com/google/google-authenticator/wiki/Key-Uri-Format#digits , there is a remark for
digitsparameter may have the values 6 or 8, and determines how long of a one-time passcode to display to the user. The default is 6.
Currently, on Android and Blackberry the digits parameter is ignored by the Google Authenticator implementation.
So, apparently, the
digitsparameter is ignored in the Android version (along with other optional parameters like
periodthat are ignored on all platforms).
As far as I have tried searching for the specific reason why it is not implemented, I could not find it.