Selenium Testing - How to sign in to Two-factor authentication?

In this article, I'm going to explain how to sign in a web site that protected with Two-factor authentication in End to End Testing using Selenium.

A type of Two-factor authentication

This article handle Two-factor authentication of type that getting OTP (One Time Passwaord) using "Authenticator" mobile app, such as "Google Authenticator", or "Microsoft Authenticator" or etc.

Two-factor authentication of type that sends authentication code by SMS or e-mail is not handled in this article.

Is it hard to sign in to 2FA site in End-to-End testing?

When sign in a web site that protected with Two-factor authentication, you should get "Authenticator code" (a.k.a "OTP") from an Authenticator mobile app in your own mobile device, and enter it to the sign in form.

But, in an End to End testing, how can the test program get "Authenticator code" without accessing to an Authenticator mobile app?

Is there no way except disabling Two-factor authentication feature of an account for testing?

The idea is simple!

Don't worry, your test code can do it.

You can implement the program that computes the Authenticator code inside test program, easily.

It's like putting an "authenticator" mobile app in the test program.

How to compute 2FA code?

I wrote two sample codes. One is C # and the other is Java.

In C#, you can compute 2FA code with the library "Otp.NET".

using OtpNet;
...

var otpKeyStr = "6jm7n6xwitpjooh7ihewyyzeux7aqmw2"; // <- this 2FA secret key.

var otpKeyBytes = Base32Encoding.ToBytes(otpKeyStr);
var totp = new Totp(otpKeyBytes);
var twoFactorCode = totp.ComputeTotp(); // <- got 2FA coed at this time!

In Java, you can compute 2FA code with the library "aerogear-otp-java".

import org.jboss.aerogear.security.otp.Totp;
...

String otpKeyStr = "6jm7n6xwitpjooh7ihewyyzeux7aqmw2"; // <- this 2FA secret key.

Totp totp = new Totp(otpKeyStr);
String twoFactorCode = totp.now(); // <- got 2FA coed at this time!

I am grateful to the contributors of those libraries.

Full set of sample code by C#

You can get a full set of C# sample code from the following GitHub repository.

https://github.com/sample-by-jsakamoto/Selenium-E2ETest-for-OTP2FAAuth

This repository also include the sample web site app for test target.

The sample web site app is also provided as a Docker image in following repository.

https://hub.docker.com/r/samplebyjsakamoto/otp2faauthwebappdemo/

Conclusion

There is no need to be afraid of Selenium End-to-End testing of 2FA website.

You can easily implement the test program that getting 2FA code inside itself with very usefull libraris.

Happy testing :)

Comments

[NickUser]

Hi guys,

Is anyone knows how to bypass a two-step verification via e-mail?
Im trying to bypass that in selenium with C#.
I have access to the email but I'm trying to automate this process.

Thank yo in advance for your responses!

[marcusvinicius178]

Hi Mr. Sakamoto is there a python version for this? Thanks in advance

[Paolo Pancaldi]

Just use messages.google.com/web/

[Vinicius Goldenberg Santos]

How did you managed to get the optKeyString from the authenticator app?

[saumild]

Hi,
I am unable to generate optKeyStr
Is there a process to generate it or we need to create an account somewhere? Please clarify

[Nico Bulusan]

How to you bypass MFA in azure active directory?

[jsakamoto]

Unfortunately, I couldn't answer this question because I'm not familiar with MFA in Azure Active Directory.

If I have a chance, I'll try to resolve your question due to I'm also interested in your question, however, I can not promise it.

[tati19863]

Hello Sakamoto,

I accessed the user configuration in mfa (Microsoft), clicked the button to configure the authenticator application and took the 12 digits of the user's secret key, converted it to base32 and added it to the code in the system, but it is generating a code that is not expected . I cannot identify what is wrong.
Can you help me?

[Smicius]

I don't know where did you get 12 digits secret key, but Microsoft MFA worked for me with 16 characters secret key. Maybe you provided the wrong value. I've got 16 characters MFA Microsoft secret key this way:
1) Go to MFA setup window by this Microsoft Documentation:
1.1) Sign in to myapps.microsoft.com.
1.2) Select your account name in the top right, then select profile.
1.3) Select Additional security verification.
2) Click "Set up Authenticator app".
3) Click "Configure app without notifications".
You should see 16 characters secret key value (it contains spaces, but you need to remove them).

[kumar-z]

Hi jsakamoto,

Thanks for the code.

Can you please help me with the code to Automate 2FA using JavaScript.

Thanks.

Regards,
Zisu Kumar

[rsanzedah]

Hello, i used topt.now for my automation code. Was working fine for signing in but as soon as i changed to updated chrome driver to 76, the opt part stopped working. The authentication is wrong now. Any feedback. Is there any relationship with chromedriver version for totp

public static String getotp(String secretkey) {
// String secretkey = "6BSLNLLRH7HLJFMM"; // <- this 2FA secret key.

    Totp totp = new Totp(secretkey);
    return totp.now();

[jsakamoto]

My understanding is that there is no relationship between computational TOTP and Selenium WebDriver.

I guess your problem is caused by becoming incompatibility of your test code that against with test target web site.

[E]

Hi Jsakamoto, can I use this code in Cypress?