How TOTP based Two-factor Authentication Works With Web Applications?
To record a simulation on a web site where TOTP based authentication is used for user authentication for e.g., Microsoft O365 integrated with Microsoft Azure Active Directory, then, you need to follow the steps below:
-
Register for access to the web application
-
Obtain the secret key from your application
-
Choose any authenticator app that supports TOTP: Google Authenticator, Microsoft Authenticator, etc.
-
Add your secret key or scan the QR code and provide this to your authenticator app
-
TOTP codes from your authenticator app can be used to login to your web application where you are recording the simulation.
Generating Secret Key for TOTP based User Authentication
In order to generate a secret key from the web application that is enabled with TOTP-based user authentication during simulation for e.g., Microsoft O365 integrated with Microsoft Azure AD, then, you need to register the web app simulation endpoint as an "application" to generate OATH Soft token in Microsoft Azure AD.
Registering the Web App Simulation Endpoint as an Application to generate OATH Soft token in Microsoft Azure AD
Prior to registering the web app simulation endpoint, you need to download and install an Authenticator App ( for e.g., Microsoft Authenticator, Google Authenticator etc.) on your mobile from Android Play Store or Apple Store based on the operating system of your mobile.
If the user who is authorized to perform web app simulation belongs to Microsoft Azure Active Directory, then, you may need to follow the steps mentioned below to register the web app simulation endpoint and generate a secret key/code.
-
Log in to the URL: https://<Fully Qualified Domain Name of Microsoft Office 365 site in your environment>/securityinfo with the credentials of the user who is authorized to perform web app simulation. Figure 1 then appears.
-
In Figure 1, click the Add method. This will invoke the Add a method pop up window as shown in Figure 2.
-
In Figure 2, choose Authenticator App from Which method would you like to add? drop-down list and click the Add button. Figure 3 then appears.
-
In Figure 3, click the I want to use a different authenticator app link and click the Next button. This will start setting up the account for the authenticator app.
Figure 4 : Setting up your account for a different authenticator app
-
Clicking the Next button in Figure 4 will reveal the QR code and secret key as shown in Figure 5. Ensure that you note down this secret key as this should later be provided as an input to the web app simulator that is recording the transaction.
Figure 5 : QR code and secret key displayed for the registered endpoint
-
Clicking the Next button will lead you to Figure 6 where you will be required to enter the passcode generated on your Authenticator App. This is an additional layer of security that is required for registering the web app simulation endpoint. In our example, to generate the passcode, the QR code/Secret Key shown in Figure 5 is scanned using/entered in the Microsoft Authenticator App.
Figure 6 : Authenticating the user credentials with a passcode from the Authenticator App
-
Once the code is specified in Figure 6, clicking the Next button will ensure that your web app simulation endpoint is successfully registered as shown in Figure 7.
Figure 7 : A message stating that the web app simulation endpoint registration is successful
- Once the web app simulation endpoint registration is successful, you are required to set the Authenticator App as the default sign in method in your Microsoft Office 365 account. For this, you need to navigate to the Security Info page and click the Change link against the Default sign-in method: label (see Figure 8).
-
The Change default method pop up window will then be invoked. Here, select the Authenticator app or hardware token - code option from the Which method would you like to use to sign in? list.
- Clicking the Confirm button will ensure that your web app simulation endpoint is registered and is ready for monitoring.
How to Configure TOTP in Web App Simulation Recorder?
For user authentication, you need to configure the secret key in the Web App Simulation Recorder. For this, do the following:
-
First, you need to record an Activity by choosing StoreMFAToken (TOTP) from the Activity drop-down list in Adding the StoreMFAToken(TOTP) activity.
-
Then, specify the secret key obtained in Step 5 as an input in the Target field to generate the TOTP passcode. Also, specify the name of the variable that is used to store the TOTP passcode in the Value field.
-
Now, you should add a Type activity (see Figure 10) which when included will automatically type the TOTP passcode. For this, you need to provide the location (XPath) of the element in which the TOTP passcode is to be typed in the Target field. Similarly, in the Value field, specify the stored variable name in @{<Stored-Variable-name>} format to access the passcode to be typed in Target location.
-
Once both these activities are successfully added, during playback, the Web App Simulator automatically generates the TOTP using the secret key and current time, and provides this along with user credentials. The generated TOTP is used as a soft token/passcode for user authentication during simulation process (see Figure 11).