As I understand it, the logon passcode is generated from a standardized hashing algorithm based on the security key and either a counter (for HOTP) or the time (for TOTP). (It also must know it is SHA1 and how many digits, etc…) It must be standard because Duo can import third-party tokens knowing only the serial number and the security key.
That said, I can’t seem to get the single (non-Duo) app I use for all other MFA to have the correct passcode for Duo. I’ve tried both the TOTP and HOTP version. I know that the key is case sensitive, (although I was surprised/disappointed that Duo limited it to hex characters), but adjusting the case hasn’t worked either.
Does anyone know if the algorithm folds in the serial number too? I entered a (made-up) serial number into Duo when importing the token, but I thought that was just for identification purposes. I don’t include that in the key entered into the app.
Just for reference, I’m currently testing against OTP Auth (by Roland Moers) on the iPhone, but eventually will move to a different OTP app when I get my Librem5 (for which there is no Duo Mobile app).