Skip to main content

How to set up 2FA with TOTP for a target with a login sequence

Two-factor authentication (2FA) strengthens authentication with an additional layer of security that requires presenting an extra piece of evidence (the possession factor) to an authentication mechanism of a web app. To obtain the possession factor, you can use an authenticator like Google Authenticator, 1Password, Authy, or Microsoft Authenticator, which provides a random code that changes frequently. This random and temporary code is called a Time-based One-time Password (TOTP).

When a target has a complex login flow with 2FA enabled, you can configure the target so that Probely can authenticate and scan areas reserved for authenticated users only.

Step 1: Set up target authentication with the 2FA login sequence

In this step, record the login sequence with the 2FA step and take note of the TOTP value you used. Then, set up the target authentication with the newly recorded 2FA login sequence. For this, follow the tutorial on how to set up target authentication with a login sequence.

Step 2: Get the 2FA configuration

To enable 2FA in the target, you need to get the seed/secret configuration information from your 2FA.
For more information, read the section Obtain the 2FA Configuration in the article on how to set up Target 2FA with TOTP.

Step 3: Enable 2FA in the target authentication

With 2FA login sequence set up, the TOTP value you used, and the seed/secret, you can enable the 2FA login sequence for the target authentication by setting the following information in the target:

  • It has 2FA with TOTP enabled ("has_otp":true).
  • Your seed/secret (in "otp_secret").
  • Your TOTP value (in "otp_login_sequence_totp_value").

In this request, we use an existing target with the identifier 2oirKt8AKxdr, and the following values:

  • The seed/secret: MMBRPBXMGXQNVDTA6CK4XAIQTY7NFWH6.
  • The TOTP value: 123456.
Request
curl https://api.probely.com/targets/2oir9t8RKxdr/' \
  -X PATCH \
  -H 'Content-Type: application/json' \
  -H 'Authorization: JWT <YOUR_API_TOKEN>' \
  -d '{
    "site":{
      "has_otp":true,
      "otp_secret": "MMBRPBXMGXQNVDTA6CK4XAIQTY7NFWH6",
      "otp_login_sequence_totp_value": "123456",
    }
  }'

The response will return the target updated with the 2FA with TOTP configuration.

Response
{
  "id": "2oir9t8RKxdr",
  "site": {
    "id": "UYzh6mLxffx9",
    "name": "demo.testfire.net",
    "desc": "",
    "url": "http://demo.testfire.net",
    "host": "demo.testfire.net",
    ...
    "has_sequence_login": true,
    ...
    "has_otp": true,
    "otp_secret": "MMBRPBXMGXQNVDTA6CK4XAIQTY7NFWH6",
    "otp_algorithm": "SHA1",
    "otp_digits": 6,
    "otp_login_sequence_totp_value": "123456",
    ...
  },
  ...
}
info

If you notice in the response, you have two more 2FA properties:

  • otp_algorithm
  • otp_digits

We didn’t use them in the request because Probely defaults them to the most common use case: the SHA1 encryption algorithm and TOTP with 6 digits, respectively.
However, if you are using another encryption algorithm or number of digits, you can send them in the request to configure 2FA to your specific use case. For more details, check the API reference documentation on the Partial Update Target endpoint.

Now, with the 2FA with TOTP set, Probely scans on your target will be able to reach restricted areas meant for 2FA-authenticated users only.