Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
SHA-256 token with MS Authenticator returns wrong TOTP
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 57.00000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIO%3C/text%3E%3C/svg%3E)
Žiga Oblak
20
Reputation points
Greetings,
We (company) are using MS365. MFA is enforced for all users, everyone uses MS Authenticator and it works fine.
Now I tried to set up MFA on our Sophos (UTM 9) Firewall. When I set SHA-1 token MS Authenticator works fine. When I set SHA-256 (security concerns) token MS Authenticator return wrong TOTP.
I tested SHA-1 and SHA-256 with Google authenticator which returns proper TOTP (ofc different one as MS) and login works. So we have workaround but having 2 apps for same purpose is not the best...
I went through Sophos manuals and they recommend either Google or Sophos authenticator. Their support cannot help me either ("you should contact MS regarding this issue").
Does MS Authenticator even support 'above' SHA-1 tokens? Can anything be done on our end? I found plenty of people struggling with this exact problem but I find it hard to believe that in 2023 MS does not support 'safer' version.
Thanks.
Ziga
Microsoft Security | Microsoft Authenticator
Sign in to answer