How to Automate MFA Authentication
The Problem
As you know, MFA (Multi-Factor Authentication) and 2FA (Two-Factor Authentication) are widely used to secure mobile apps and web applications, which is a good thing.
However, when it comes to test automation, scenarios that require MFA quickly become complicated. Over the years, I’ve seen teams using various methods to work around this issue, such as creating specific accounts without MFA, filtering by IP addresses or MAC addresses, using special tokens, and more. These workarounds exist because automating MFA isn't straightforward.
So, how can we address this challenge today?
A Solution
In today’s tips, I’ll share with you a simple and effective solution. It’s not revolutionary, but it might help some people, depending on their context and technical skills.
Recently, we developed a free service called MailStack, which is mainly for email testing. However, it also includes a useful feature that allows you to create a virtual MFA device.
A virtual MFA device acts like Google Authenticator or similar apps. You can scan an MFA QR code, and the virtual device will start generating valid OTP codes that can be used to automate MFA scenarios.
After creating the virtual device and setting up an access token, you can retrieve OTP codes via a simple REST API.
All you need to do is make a simple GET request to the following URL:
https://mailstack.expandtesting.com/api/mfa/otp?apikey={apikey}&deviceid={deviceid}
Where apikey
is your API key (which you can define on the MailStack platform) and deviceid
is the ID of the virtual device.
You’ll end up with a URL like this:
https://mailstack.expandtesting.com/api/mfa/otp?apikey=3d1ff0e394089b76bb887&deviceid=8446c7
The response will look something like this:
{
"result": "success",
"message": "",
"otp": {
"code": "251706",
"expires": 17
}
}
Go ahead and try it!
Happy Testing!