Authenticator App Compatibility
================================
Overview
--------
Not every authenticator app supports the same OTP modes or provisioning options.
This matters because:
- some apps are primarily built for TOTP
- some apps also support HOTP
- OCRA support is uncommon in mainstream consumer authenticator apps
- some apps may ignore non-default provisioning parameters such as algorithm, digit count, or period
As of April 20, 2026, the safest cross-app default is still:
- TOTP
- SHA1
- 6 digits
- 30 second period
- standard ``otpauth://`` label and issuer formatting
If you want the broadest compatibility, start there.
Practical guidance
------------------
Use TOTP for the default mobile-app path
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TOTP remains the most interoperable option across mainstream mobile authenticator apps.
If you are provisioning a typical user-facing MFA app, prefer:
.. code-block:: php
<?php
$uri = $totp->getProvisioningUri('alice@example.com', 'Example App');
Use HOTP only when the app and server flow both expect it
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HOTP is supported by some authenticators, but it is less common in ordinary consumer setups than TOTP.
Choose HOTP only when:
- your server flow is explicitly counter-based
- the target app or device is known to support HOTP
- you are prepared to persist counter state and resynchronization logic
Treat OCRA as a specialized flow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OCRA is not something you should assume a mainstream consumer authenticator app will support.
In practice, OCRA often needs:
- a dedicated vendor app
- a banking or enterprise authenticator
- a custom application that explicitly implements the required suite
Inference from the official app sources listed below:
- mainstream apps commonly document TOTP
- several also document HOTP
- the reviewed public docs did not clearly document mainstream OCRA support
Be careful with non-default parameters
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Even when an app supports TOTP or HOTP, it may not fully honor every provisioning parameter.
Examples of parameters that can be problematic across apps:
- ``algorithm`` such as ``SHA256`` or ``SHA512``
- ``digits`` such as ``8`` instead of ``6``
- ``period`` values other than ``30``
If you use non-default values, test with the specific app your users will use.
App notes
---------
Google Authenticator
~~~~~~~~~~~~~~~~~~~~
Google's published open-source project and wiki document HOTP and TOTP support.
Historical Google Authenticator key-URI documentation also notes that some provisioning parameters may be ignored by Google Authenticator implementations, including:
- ``algorithm``
- ``digits`` on some implementations
- ``period``
Practical guidance:
- good baseline target for standard TOTP
- HOTP is historically documented
- do not assume non-default algorithm, digits, or period will be honored without testing
Microsoft Authenticator
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft's official support pages clearly document one-time password usage for Microsoft and non-Microsoft accounts.
However, the reviewed Microsoft support pages do not clearly document:
- HOTP support details
- OCRA support
- custom algorithm handling
- custom period handling
Practical guidance:
- treat Microsoft Authenticator as a TOTP-focused target unless you have tested your exact flow
- avoid assuming support for OCRA or unusual provisioning settings
Authy
~~~~~
Current official Authy and Twilio support material reviewed for this page is more focused on platform support, backups, sync, and product lifecycle than on detailed OTP-mode compatibility.
The reviewed official material did not clearly document:
- HOTP support details
- OCRA support
- custom algorithm handling
- custom period handling
Practical guidance:
- treat Authy as a TOTP-oriented authenticator unless you have directly tested your exact provisioning profile
- do not assume HOTP or OCRA support from the current official support pages alone
- note that the Authy Desktop app reached end of life on March 19, 2024, so device guidance should focus on currently supported mobile platforms
2FAS Auth
~~~~~~~~~
2FAS documents TOTP directly and also states it can be used for services that support TOTP or HOTP tokens.
Practical guidance:
- strong fit for standard TOTP
- HOTP is mentioned in official 2FAS support material
- still test any non-default algorithm or period choices in your own target flow
Proton Authenticator
~~~~~~~~~~~~~~~~~~~~
Proton's current public documentation describes Proton Authenticator as a TOTP authenticator and repeatedly refers to time-based one-time password codes.
The reviewed Proton documentation did not clearly document:
- HOTP support
- OCRA support
- custom algorithm handling beyond the standard consumer authenticator flow
Practical guidance:
- treat Proton Authenticator as a TOTP-focused target
- it is a strong fit when you want cross-platform availability, including desktop clients
- do not assume HOTP or OCRA support unless Proton documents it clearly or you validate it directly in your own test matrix
Aegis
~~~~~
The official Aegis project documents support for:
- HOTP
- TOTP
Practical guidance:
- good choice when you need an app with clearly documented HOTP and TOTP support
- still verify advanced parameter behavior for your own provisioning profile
FreeOTP
~~~~~~~
The official FreeOTP site and Android repository document support for:
- HOTP
- TOTP
Practical guidance:
- suitable for standards-based HOTP and TOTP deployments
- like other apps, test custom algorithm or period choices before relying on them
Protectimus Smart OTP
~~~~~~~~~~~~~~~~~~~~~
Protectimus publishes much more explicit compatibility guidance than many mainstream authenticator apps.
Their public user guide states support for all OATH OTP generation algorithms, specifically:
- HOTP
- TOTP
- OCRA
The same guide also documents manual token setup with:
- OTP type selection
- one-time password length
- lifetime
Practical guidance:
- strong candidate when you need broader OTP-family support beyond standard TOTP
- especially relevant for HOTP or OCRA deployments
- still validate your exact suite and provisioning values, especially for advanced OCRA flows
Recommended compatibility tiers
-------------------------------
Broadest compatibility
~~~~~~~~~~~~~~~~~~~~~~
Use this if you want the least support friction across common mobile apps:
- TOTP
- SHA1
- 6 digits
- 30 second period
Broader standards support, but verify the app
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use this only if you control the supported app list:
- HOTP
- TOTP with non-default digits
- TOTP with non-default algorithm
- TOTP with non-default period
Specialized deployment
~~~~~~~~~~~~~~~~~~~~~~
Use this when you have a known compatible client or a dedicated enterprise flow:
- OCRA
- custom challenge workflows
- suite-specific banking or enterprise authenticators
What this means for this library
--------------------------------
If you are building for general consumer authenticator apps, prefer:
- ``TOTP``
- default provisioning values
- standard ``otpauth://`` URIs
If you are building for a controlled client environment, this library can also support:
- HOTP
- OCRA
- non-default algorithms and provisioning values
But at that point, compatibility becomes a product decision, not just a library decision.
Sources checked
---------------
The following official or project-maintained sources were reviewed on April 20, 2026:
- Google Authenticator open-source project: https://github.com/google/google-authenticator
- Google Authenticator wiki home: https://github.com/google/google-authenticator/wiki
- Google Authenticator key URI format wiki: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
- Google Account Help for Google Authenticator: https://support.google.com/accounts/answer/1066447
- Microsoft Authenticator overview: https://support.microsoft.com/en-US/authenticator/about-microsoft-authenticator
- Microsoft account setup/authenticator docs: https://support.microsoft.com/en-us/account-billing/how-to-add-your-accounts-to-microsoft-authenticator-92544b53-7706-4581-a142-30344a2a2a57
- 2FAS app compatibility and support pages: https://2fas.com/support/2fas-auth-mobile-app/can-i-use-2fas-on-my-own-website-or-app/ and https://2fas.com/support/2fas-auth-mobile-app/how-does-the-2fas-app-work/
- 2FAS app tutorial: https://2fas.com/support/2fas-auth-mobile-app/2fas-auth-app-tutorial/
- Aegis project page: https://github.com/beemdevelopment/Aegis
- FreeOTP site: https://freeotp.github.io/
- FreeOTP Android repository: https://github.com/freeotp/freeotp-android
- Authy help page: https://www.authy.com/help/
- Twilio Authy system requirements: https://help.twilio.com/articles/19753636949275-Authy-App-System-Requirements
- Proton Authenticator announcement: https://proton.me/blog/authenticator-app
- Proton Authenticator support hub: https://proton.me/support/authenticator
- Proton Authenticator security model: https://proton.me/blog/authenticator-security-model
- Protectimus Smart OTP user guide: https://www.protectimus.com/guides/protectimus-smart-otp/
- Protectimus Smart OTP product page: https://www.protectimus.com/protectimus-smart/
|