Increase 2FA key size

[tvlooy]

Description:

When scanning the 2FA codes with FreeOTP it reports that the tokens contain insecure cryptographic parameters. The key is too short. Google authenicator standard is 32 characters.

Review

• Functional review done
• Potential edge cases thought about (behavior of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
• Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
• Security review done
• Wording review done
• Code review done
• Tests were added if useful/possible
• Reviewed for breaking changes
• Developer changelog updated if needed
• Documentation added if needed
• Existing documentation updated if needed

[michalkleiner]

Thanks for the PR @tvlooy. Would you be able to update the expected tests as well, please? See https://github.com/matomo-org/matomo/actions/runs/17588686587/job/49979193367?pr=23585#step:3:791 for details on the failure.

[tvlooy]

Done!

[tvlooy]

Oh, that didn't work the way I expected it. I now updated the PR and sqashed commits.

[tvlooy]

@michalkleiner can we merge this now or is there still something missing?

[sgiehl]

@tvlooy We won't merge this for now, as it's unclear if a bigger key size could cause issues with existing 2FA apps.
Various services (including Microsoft, GitHub, ...) are still using 16 chars.

In addition, there are also discussions around the warning in FreeOTP here:
freeotp/freeotp-android#287
https://github.com/orgs/community/discussions/172923

[michalkleiner]

One possible solution I can think of would be to make the key length configurable, defaulting to the current 16 characters. Then if someone wanted, they could adjust the config locally to 32.

[tvlooy]

While I understand the concern, it would benefit everyone if the security were sufficient by default. It shouldn’t be something people have to think about. Adding options can also create opportunities for misuse.