It took quite some time for 2FA to arrive inside of SmarterMail. However, it's time to up the ante and make the security better!
says "4. Algorithm Requirements. R6 - The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits.".
As we seen with SSL, the security folks have increased the key bit strength over the years to 2048 bits and support for 4096 is on the horizon. We have also updated from SHA1 to SHA256 for hashing functions of data in SSL Certificates. We know that SHA1 has issues and is being phased out.
However, while digging through Google's git log for TOTP, their code has been generating 80-bit keys since March 26, 2010, commit 35ae38faf1a7a55b8d1808d893d2e4c4a1ef7824. I think SmarterMail is likely using 80-Bit Keys as well.
In addition, to the bit strength I would like to see support for SHA256 or SHA-512 hashing functions and more 2FA digits beyond 6 -- say any length from 6 to 12 digits.
I'm not sure that either Google or Microsoft TOTP apps that support these parameters, however, Google's URI for TOTP supports both "algorithm" parameter
values: SHA1 (Default), SHA256 and SHA512 plus "digits" parameter determines how long of a one-time passcode to display to the user. The default is 6 and the spec mentions
8, however, I've seen 9 digits in the wild. Here is the URI spec from Google: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
If anyone has an idea on Android Auth Apps that support these "algorithm" and more digits" parameters, please update here. For SmarterMail these parameters (seed key length, algorithm, and digits) should be options at the domain level with system wide defaults. And of course, like many things in SmarterMail have feature settings to allow or disallow the domain admin override.
We also need some increase bit strength for machine passwords as well!