Automating Multi-Factor Authentication: Time-Based One-Time Passwords

Automating Multi-Factor Authentication: Time-Based One-Time Passwords

Two days ago marks my two years with Rapid7. It has been a fantastic adventure, and I’m quite excited to celebrate today by enabling our AppSec customers on automated time-based one-time password (TOTP) authentication. For you folks who used to wake up at 2 a.m. to Bootstrap into a scheduled scan with multi-factor authentication (MFA), we can celebrate with some shut-eye!


Multi-factor authentication


When logging onto a web application, you may be required to present a username and a password to log in to the site. This is considered “one-factor,” as this combination authenticates you to the application.


In many cases, passwords can be lost or stolen, so multi-factor authentication was developed (often called “MFA,” 2FA,” or “two-factor authentication”).


MFA adds an additional step to your login, such as presenting a hardware key, receiving a text message, or typing in a code from an app on your phone. Today, we’re going to discuss the phone app model.


Time-based one-time password


Often called TOTP, this is simply a code that you will enter after logging in. Every few seconds, the code will expire and cannot be used to login again. It uses a secret code and your system’s clock to generate this code. Only you and the website you’re logging into know this code, so nobody else can generate these codes (unless you leak them!)


Tools we’ll use today


Rapid7’s Pen Testing Extension: A tool we use with InsightAppSec to enable recording “macros,” an extensible authentication tool used to allow scanning of your applications.
AuthenticationTest.com: A playground of sorts for practicing automated authentication (such as MFA, drop-down fields, ..

Support the originator by clicking the read the rest link below.