Automating Multi-Factor Authentication

Some webapps you are testing may request an authenticator app short code as part of the login process. Microsoft Authenticator and Google Authenticator are the most commonly used authenticator applications but there are others.

You can configure a third-party service to provide a code when creating a AIQ test designer script. In order to create a test designer script that automate test use cases over this application, a third party service can be configured configured as the code provider.

The third-party services currently supported by AIQ is passwordstate. For more information see passwordstate.

Configure the Authentication Code in the Application

These steps involves creating a new user in the application you are testing and setting the MFA authentication with the passwordstate. The following example shows Microsoft Authenticator and passwordstate.

In a real situation some of these screens would normally show user details such as email addresses or phone numbers. The following example shows generic screens.

  1. Anytime you try to login you are presented with MFA option to verify your identity.

  2. Select “I can’t use my Microsoft Authenticator app right now”.

  3. On the Add a method screen, select an Authenticator app as the new method.

  4. Select “I want to use a different authenticator app”.

  5. The Authenticator app presents you with a QR code. Scan the code the app for passwordstate .

  6. Enter the code that the app gives you in the One-Time Password Authenticator details.

Logging in with the One-Time Password Code

The OTP code generated by passwordstate can be fetched using a REST API call triggered from your test script. The response will contain the code which can be used to complete the authentication process in the test designer script.

  1. Login to your security portal and remove your current device.

  2. Login using the OTP.

  3. Successful login.

  4. You may need to verify the account, but only the at the first login. Subsequent logins should not require account confirmation.

Getting a Password

To get a password, you must make an API call that can be executed from a JS script.

Copy 
# Configuration

API_URL="https://client-passwords.appvance.net/api/onetimepassword/<item>"API_KEY="API_KEY"# Make API request using curl

curl -s -H "APIKey: $API_KEY" "$API_URL"

Appvance will create a passwordstate for clients which will have a different URL. Contact Appvance Support to have Appvance whitelist your IP adress and setup an OTP in passwordstate.