BSure

Medior: Use 2fa and UI testautomation

Secure Handling of 2fa during UI automated tests

Time-Based One-Time Passwords (TOTP) have become essential in enhancing security, especially in systems that employ two-factor authentication (2FA). TOTP provides a temporary code that users must enter within a limited time frame to verify their login attempt. However, as secure as TOTP is, it presents challenges in automated testing environments where login actions need to be replicated.

Understanding the Security Risks

It’s essential to be aware of potential security risks when using TOTP in testing:

  1. Personal Accounts: Never utilize your personal TOTP token or account within a testing context. Any unintended exposure of this token can provide malicious entities access to your actual accounts.

  2. Secret Storage: The key responsible for generating the TOTP should always be securely stored. Embedding these keys directly into the code or leaving them in plain-text configuration files can lead to unauthorized access if compromised.

Best Practices

To address the above risks, it’s recommended to:

  1. Use Service Accounts: Always opt for service accounts specifically tailored for testing. Such accounts should possess restrictive permissions and shouldn’t be granted access to production or confidential data.

  2. Secure Storage Solutions: Use secure solutions like AWS Secrets Manager or equivalent platforms to ensure the secret keys are encrypted and only available to those with the right permissions.

Code Example using TOTP-generator

For those using JavaScript within a Cypress testing environment, here’s how the TOTP-generator can be implemented:

First you should fetch and store the secret key(not scan with your phone, only when you have written down the secret, in this example LNUI4IEWHCHIFTRA, which does not exist anymore), and then you can use one of the various npm packages (in javascript)
to fetch your response

const totp = require("totp-generator");

describe('Login Test with TOTP', () => {
    it('should successfully log in using TOTP', () => {
        const secret = "YOUR_SECRET_KEY_RETRIEVED_FROM_SECURE_SOURCE"; e.g. LNUI4IEWHCHIFTRA
        const token = totp(secret);

        cy.visit('https://your-login-website.com');
        cy.get('#usernameField').type('TestAccountUsername');
        cy.get('#passwordField').type('TestAccountPassword');
        cy.get('#totpField').type(token);
        cy.get('#submitButton').click();
    });
});

Ensure that your secret key is not hardcoded and is retrieved from a secure location before running the test.

Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=ralphvanderhorst

Back to blog

Related articles

Integrating python Gmail api using Service Account to fetch e.g. oauth

Oauth

15 Oct 2023

Integrating python Gmail api using Service Account to fetch e.g. oauth

right-arrow.png
Mastering Waits in UI Automation

Selenium

6 Oct 2023

Mastering Waits in UI Automation

right-arrow.png
Parrallel testing with Python, Cucumber, and Docker Compose

Selenium

6 Oct 2023

Parrallel testing with Python, Cucumber, and Docker Compose

right-arrow.png

Are you ready to learn everything regarding testautomation

The guided path and the learnportal will make you a t-shaped tester. Guided by advanced material and hosted by a senior tester this portal will help you become professional

Contact us
image-11.WebP