loading...

Selenium Testing - How to sign in to Two-factor authentication?

j_sakamoto profile image jsakamoto ・2 min read

In this article, I'm going to explain how to sign in a web site that protected with Two-factor authentication in End to End Testing using Selenium.

A type of Two-factor authentication

This article handle Two-factor authentication of type that getting OTP (One Time Passwaord) using "Authenticator" mobile app, such as "Google Authenticator", or "Microsoft Authenticator" or etc.

screen shot of GoogleAuthenticator mobile app

Two-factor authentication of type that sends authentication code by SMS or e-mail is not handled in this article.

Is it hard to sign in to 2FA site in End-to-End testing?

When sign in a web site that protected with Two-factor authentication, you should get "Authenticator code" (a.k.a "OTP") from an Authenticator mobile app in your own mobile device, and enter it to the sign in form.

But, in an End to End testing, how can the test program get "Authenticator code" without accessing to an Authenticator mobile app?

Is there no way except disabling Two-factor authentication feature of an account for testing?

The idea is simple!

Don't worry, your test code can do it.

You can implement the program that computes the Authenticator code inside test program, easily.

It's like putting an "authenticator" mobile app in the test program.

How to compute 2FA code?

I wrote two sample codes. One is C # and the other is Java.

In C#, you can compute 2FA code with the library "Otp.NET".

using OtpNet;
...

var otpKeyStr = "6jm7n6xwitpjooh7ihewyyzeux7aqmw2"; // <- this 2FA secret key.

var otpKeyBytes = Base32Encoding.ToBytes(otpKeyStr);
var totp = new Totp(otpKeyBytes);
var twoFactorCode = totp.ComputeTotp(); // <- got 2FA coed at this time!

In Java, you can compute 2FA code with the library "aerogear-otp-java".

import org.jboss.aerogear.security.otp.Totp;
...

String otpKeyStr = "6jm7n6xwitpjooh7ihewyyzeux7aqmw2"; // <- this 2FA secret key.

Totp totp = new Totp(otpKeyStr);
String twoFactorCode = totp.now(); // <- got 2FA coed at this time!

I am grateful to the contributors of those libraries.

Full set of sample code by C#

You can get a full set of C# sample code from the following GitHub repository.

https://github.com/sample-by-jsakamoto/Selenium-E2ETest-for-OTP2FAAuth

movie

This repository also include the sample web site app for test target.

The sample web site app is also provided as a Docker image in following repository.

https://hub.docker.com/r/samplebyjsakamoto/otp2faauthwebappdemo/

Conclusion

There is no need to be afraid of Selenium End-to-End testing of 2FA website.

You can easily implement the test program that getting 2FA code inside itself with very usefull libraris.

Happy testing :)

Posted on by:

j_sakamoto profile

jsakamoto

@j_sakamoto

Microsoft MVP for Visual Studio and Development Tech. (prefer C#, .NET Core, ASP.NET Core, Azure Web Apps, TypeScript, and Blazor WebAssembly App!)

Discussion

markdown guide
 

Dear jsakamoto,

Thanks for your code.

However, when I am applying the below code, I'm unable to login into the aws. Can I request you to kindly help me a bit more on this, please?

import org.jboss.aerogear.security.otp.Totp;
...

String otpKeyStr = "6jm7n6xwitpjooh7ihewyyzeux7aqmw2"; // <- this 2FA secret key.

Totp totp = new Totp(otpKeyStr);
String twoFactorCode = totp.now(); // <- got 2FA coed at this time!

I am able to generate the MFA code but when it is getting inserted into the aws MFA page using selenium, it is throwing incorrect credentials error.

Do we need to register our aws account with the aerogear first?

Kindly suggest.

Thanks in advance!

Regards
Amit

 

Ok, I'll try to reproduce and resolve your problem.

But so I'm busy few weeks, my response will be late.

 

Hi..thanks for your response!

Few weeks !! oh okay...I was actually working on it but unable to proceed further.

I'll be waiting for your response..request you to kindly revert at your earliest convenience. Meanwhile, if you have any suggestion which I can look into kindly suggest, thanks very much for your beautiful support!!

I could compute MFA code for my AWS account by that Java sample code.

Question: Did you rewrite the sample source code at "2FA secret key" row with your own MFA secret key?

See also: gist.github.com/jsakamoto/54f77ae1...

You should capture the MFA secret key of your AWS account in an enabling MFA steps.

In this sample case above, the sample code should be bellow.

String otpKeyStr = "B7NLNKSUKGDLE3P5TCF6X2VCA6UWEK7IPPO4BNMQMF4S4TICWTIX76SVXNXCGTBT"; // <- this 2FA secret key.
 

jsakamoto

Hi Jsakamoto, We are getting QR Code URL from some 3rd party w/o having any secret key nor they give any option to convert to secret key. Is there any way I can convert QR code to secret key? otherwise I won't able to use your code to get authorized.

Please guide.
Thanks!

Java code:

String otpKeyStr = "6jm7n6xwitpjooh7ihewyyzeux7aqmw2" //secret key

 

Yes, you may can do it.

The Java Library "Zixing" is useful for decoding QR code images.

"Zixing" is here: github.com/zxing/zxing

Also, you can find many questions and answers about decoding QR code images on "Stack Overflow".com.

I propose to search on Google with the keyword "java how to decode qr zxing site:stackoverflow.com".

 

Logging in and authentication are two challenges to automated testing, in our team we bypass the whole process for simplicity's sake but I do see the benefit in automating the testing here. Would you create a test user for your e2e tests?

 

Yes I do.

In some case, creating (registration) user account for testing, enabling 2FA, and getting 2FA secret key, are included our testing scenario.

But in another case, I think, bypassing those processes is best choice for keeping simply it and stabilize testing.

 

Hello Sakamoto,

I accessed the user configuration in mfa (Microsoft), clicked the button to configure the authenticator application and took the 12 digits of the user's secret key, converted it to base32 and added it to the code in the system, but it is generating a code that is not expected . I cannot identify what is wrong.
Can you help me?

 

I don't know where did you get 12 digits secret key, but Microsoft MFA worked for me with 16 characters secret key. Maybe you provided the wrong value. I've got 16 characters MFA Microsoft secret key this way:
1) Go to MFA setup window by this Microsoft Documentation:
1.1) Sign in to myapps.microsoft.com.
1.2) Select your account name in the top right, then select profile.
1.3) Select Additional security verification.
2) Click "Set up Authenticator app".
3) Click "Configure app without notifications".
You should see 16 characters secret key value (it contains spaces, but you need to remove them).

 

This doesn't seem to work for the secret taken from the QR code given by Facebook 2 factor. I've gotten this method to work for Google Account 2 factor, but not Facebook

 

I'm not sure that how does Facebook 2 factor work. I have not e2e test for Facebook 2 factor.

Could you explain more details of what you ran into?

What did you do, and what did you get as a result?

 

facebook.com/help/270942386330392?...

It works similarly to setting up 2-factor for a Google Account. If you select "Code Generator" they present you with a 2-factor QR code.

In order to get the secret for my Google Account 2-factor, I scanned the Google Account QR code with a QR code scanner and stripped out the secret parameter. This secret worked for your steps in your article.

For Facebook, I tried to do the same thing, but it's not generating the right 2-factor codes, which leads me to believe the secret or the steps or something else is wrong.

Was wondering if you have any insight

 

Hello, i used topt.now for my automation code. Was working fine for signing in but as soon as i changed to updated chrome driver to 76, the opt part stopped working. The authentication is wrong now. Any feedback. Is there any relationship with chromedriver version for totp

public static String getotp(String secretkey) {
// String secretkey = "6BSLNLLRH7HLJFMM"; // <- this 2FA secret key.

    Totp totp = new Totp(secretkey);
    return totp.now();
 

My understanding is that there is no relationship between computational TOTP and Selenium WebDriver.

I guess your problem is caused by becoming incompatibility of your test code that against with test target web site.

 

Hi Jsakamoto, can I use this code in Cypress?

 

Hi jsakamoto,

Thanks for the code.

Can you please help me with the code to Automate 2FA using JavaScript.

Thanks.

Regards,
Zisu Kumar

 

How to you bypass MFA in azure active directory?

 

Unfortunately, I couldn't answer this question because I'm not familiar with MFA in Azure Active Directory.

If I have a chance, I'll try to resolve your question due to I'm also interested in your question, however, I can not promise it.

 

Hi Joel, How do u bypass logging and authentication. For me its asking for google authentication and it would be helpful if yo share the code to bypass google login and 2FA. Thanks in advance

 
Sloan, the sloth mascot Comment marked as low quality/non-constructive by the community View code of conduct

This is very very helpful topic for automation testing and thanks for this jsakamoto!.

Just one question before I download.

Is this Nuget package safe?Is it just doing everything on our local machine? How can we be sure the package is not collecting the Secret Key and send it over the internet to someone?

 

I'm not sure about it at this time, but we can inspect the "Otp.NET" NuGet package is safe or not.

You can download "Otp.NET" NuGet package file ("otp.net.1.2.0.nupkg") manually from nuget.org site.
(Find a "Download Package" link at the right side of "nuget.org/packages/Otp.NET/" page.)

The NuGet package file is actually simple zip file, so you can change the extension of the package file from ".nupkg" to ".zip", and extract it to get .dll file.

After you get .dll file, you can decompile it into C# source codes by using ILSpy (clickonceget.azurewebsites.net/app...) or some tools else.

So you can inspect what "Otp.NET" does.

Another way, you can access "Otp.NET" GitHub repository (github.com/kspearrin/Otp.NET) , and get source code, and build "Otp.NET" yourself from those source code.

At last, the works that "Otp.NET" does is not so difficult, therefore, you can implement MFA code calculation program yourself from scratch.

Repeatably, I'm not sure about "Otp.NET" NuGet package is safe or not.
Please make decision by your responsibly.