Authenticator apps
Paramant uses SHA-256 TOTP. Here's what works and what doesn't.
Why SHA-256
Paramant's relay uses SHA-256 for TOTP verification instead of the older SHA-1 default specified in RFC 6238. SHA-1 is not broken for HMAC use, but it does not belong in a stack that positions itself around post-quantum key exchange and FIPS 203 primitives. Consistency matters. Our MFA layer holds the same cryptographic standard as the rest of the transport.
Supported apps
Authy, 1Password, Aegis (Android, open source), Raivo (iOS, open source), Bitwarden, Ente Auth (iOS and Android, open source), and 2FAS all support SHA-256 TOTP. Any of these will work with the QR code shown on the setup page.
Not sure which to pick? Aegis on Android and Raivo on iOS are open source, store codes locally, and have no cloud dependency. 1Password and Bitwarden are good choices if you already use a password manager.
Not supported
Google Authenticator, Microsoft Authenticator, and the authenticator built into iCloud Keychain only support SHA-1 TOTP. The QR code will scan successfully, but the codes generated will never match what the server expects. If you see "Invalid code" repeatedly while using one of these apps, this is why.
Scanning the QR with an unsupported app will appear to work at first. The codes it generates will always fail verification at login.
Migrating from Google Authenticator
If you currently use Google Authenticator for other services, you can keep using it for those and install a second app (Aegis on Android, Raivo on iOS) specifically for Paramant. Having multiple authenticator apps on one device is supported and common.