Skip to main content

How to set up 2FA with TOTP for a target with a login form

Two-factor authentication (2FA) strengthens authentication with an additional layer of security that requires presenting an extra piece of evidence (the possession factor) to an authentication mechanism of a web app. To obtain the possession factor, you can use an authenticator like Google Authenticator, 1Password, Authy, or Microsoft Authenticator, which provides a random code that changes frequently. This random and temporary code is called a Time-based One-time Password (TOTP).

When a target has a login form with 2FA enabled, you can configure the target so that Probely can authenticate and scan areas reserved for authenticated users only.

Step 1: Set up the target authentication with a login form

First, you must ensure the target authentication with a login form is enabled. For that, follow the tutorial on how to set up target authentication with a login form.

Step 2: Get the 2FA configuration

Before enabling 2FA in the target, you need to get configuration information from your 2FA, namely:

  • The seed/secret - Probely needs it to generate the TOTP code.
  • The CSS selectors - Probely needs them to identify the TOTP code input field and the submit button in the 2FA form to submit the generated TOTP code.

For more information, read the section Obtain the 2FA Configuration in the article on how to set up Target 2FA with TOTP.

Step 3: Enable 2FA in the target authentication

With the login form set up, the seed/secret, and the CSS selectors, you can enable 2FA for the target authentication by setting the following information in the target:

  • Enable 2FA with TOTP ("has_otp":true).
  • Your seed/secret (in "otp_secret").
  • The CSS selector of the TOTP code input field in your 2FA form (in "otp_field").
  • The CSS selector of the submit button in your 2FA form (in "otp_submit").

In this request, we use an existing target with the identifier 2oirKt8AKxdr, and the following values:

  • The seed/secret: MMBRPBXMGXQNVDTA6CK4XAIQTY7NFWH6.
  • The CSS selectors:
    • TOTP code input field: #totpcode.
    • Submit button: #totpsubmit.
Request
curl https://api.probely.com/targets/2oir9t8RKxdr/' \
  -X PATCH \
  -H 'Content-Type: application/json' \
  -H 'Authorization: JWT <YOUR_API_TOKEN>' \
  -d '{
    "site":{
      "has_otp":true,
      "otp_secret": "MMBRPBXMGXQNVDTA6CK4XAIQTY7NFWH6",
      "otp_field": "#totpcode",
      "otp_submit": "#totpsubmit"
    }
  }'

The response will return the target updated with the 2FA with TOTP configuration.

Response
{
  "id": "2oir9t8RKxdr",
  "site": {
    "id": "UYzh6mLxffx9",
    "name": "My example",
    "desc": "",
    "url": "http://example.com",
    "host": "example.com",
    "has_form_login": true,
    ...
    "has_otp": true,
    "otp_secret": "MMBRPBXMGXQNVDTA6CK4XAIQTY7NFWH6",
    "otp_algorithm": "SHA1",
    "otp_digits": 6,
    "otp_field": "#totpcode",
    "otp_submit": "#totpsubmit",
    ...
  },
  ...
}
info

If you notice in the response, you have two more 2FA properties:

  • otp_algorithm
  • otp_digits

We didn’t use them in the request because Probely defaults them to the most common use case: the SHA1 encryption algorithm and TOTP with 6 digits, respectively.
However, if you are using another encryption algorithm or number of digits, you can send them in the request to configure 2FA to your specific use case. For more details, check the API reference documentation on the Partial Update Target endpoint.

Now, with the 2FA with TOTP set, Probely scans on your target will be able to reach restricted areas meant for 2FA-authenticated users only.