Every once in a while the question of MD5 security and Mobile-OTP comes up. This is a brief statement why there is no practical relevance of MD5 vulnerabilities for the security of Mobile-OTP:

  1. MD5 collision attacks are not what you are looking for to attack Mobile-OTP in the first place. An attacker does not even get access to a full MD5 hash but only its first 24 bits.
  2. To even try a brute-force attack on the Mobile-OTP secret and PIN, an attacker would need to get hold of several of the 24 bit one-time-passwords to match against 78 bits of secret data.
  3. Even if MD5 collision attacks were relevant, there is no significant room for collisions. Mobile-OTP maps between 78 and 142 bits of data to an MD5 hash of 128 bit.