The Google Authenticator key length is truncated because of a usability tradeoff. Initially, a design goal was to allow people to manually type in keys on their device. This would be for cases where you couldn't scan a QR code, like when your device has no camera.
Given the security setting, I am comfortable with the tradeoff. I do not think brute-force attacks represent a significant risk, especially compared to other attack vectors.
That may change over time. Fortunately, it's straightforward to increase the default key size.
Given the security setting, I am comfortable with the tradeoff. I do not think brute-force attacks represent a significant risk, especially compared to other attack vectors.
That may change over time. Fortunately, it's straightforward to increase the default key size.