security hole that lets unprivileged users accessing a client app get SYSTEM rights to the server
wtf 🤣
And some TOTP apps don’t interpret the algorithm
parameter correctly, which makes it safer to go with the default SHA-1.
Lemmy in fact was using SHA-256 for its earlier TOTP implementation and reverted back to SHA-1 since some people locked themselves out due to poor support in some TOTP app (among other issues, another was that the activation workflow never asked you to confirm the code you enrolled was working and generating the correct code…).
https://www.traccar.org/ could be a good starting point.