All Collections
Quick how to's!
Authentication
How to set up Target 2FA with TOTP
How to set up Target 2FA with TOTP

Learn how to set up the scanner to log into targets with Two-Factor Authentication (2FA) using a Time-based One-time Password (TOTP).

Jaime Vasconcelos avatar
Written by Jaime Vasconcelos
Updated over a week ago

Two-factor authentication (2FA) strengthens authentication with an additional layer of security that requires presenting an extra piece of evidence (the factor) to an authentication mechanism of a website or application. To obtain that factor, you can use an authenticator like Google Authenticator, 1Password, Authy, or Microsoft Authenticator, which provides a random code that changes frequently. This random and temporary code is called a Time-based One-time Password (TOTP).

In Probely, you can scan websites or applications that use 2FA by configuring the Time-based One-Time Password (TOTP) option under the TWO-FACTOR AUTHENTICATION (2FA) section of your target settings.


Probely also allows you to set up 2FA with Other OTP (One-time Password). To learn more about it, read this article on how to set up Target 2FA with an alternative OTP.

After setting up your target authentication with Login Form or Login Sequence, the 2FA configuration with TOTP in Probely involves two steps:

  1. Obtain information on the 2FA configuration of the website or application.

  2. Configure 2FA in Probely for the respective target.

This article describes these steps in detail.

Step 1: Obtain the 2FA Configuration

The configuration of 2FA in Probely requires some information from the 2FA configuration of the website or application, namely:

  1. The 2FA seed / secret.

  2. The CSS selectors (if the Login Form is in use).

  3. The OTP code (if the Login Sequence is in use).

So, first, go to the 2FA configuration of the website or application.

The seed / secret is obtained when the QR Code is displayed to be scanned by the authenticator app installed on the phone (e.g., Google Authenticator, 1Password, Authy, Microsoft Authenticator, etc.).

Obtain the secret in one of the following ways:

  1. The secret is available on the page together with the QR Code.
    For example, GitHub has a link to show the secret.

  2. Use a QR Code scanner app on the phone to scan the QR Code.
    The QR Code link that is obtained contains the secret in it.
    For example: otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example

After scanning the QR Code with the authenticator app, it will start providing TOTP codes, allowing you to complete the 2FA configuration for the website or application.

Now, Probely needs the following information:

  • CSS Selectors (if the Login Form is in use)
    So that Probely can use the TOTP code in the 2FA form, log in to the website or application, and, when the 2FA form requests the TOTP code, obtain the following information:

    • The CSS selector of the input widget of the TOTP code.
      For example, #totp.

    • The CSS selector of the submit button.
      For example, body > form > p:nth-child(3) > button


    Learn more about how to obtain CSS selectors.

  • TOTP code (if the Login Sequence is in use)
    So that Probely can use the TOTP code in a login sequence, record a new login sequence of the website or application with 2FA, and save the TOTP code used for later.

Step 2: Configure 2FA in Probely

With the information obtained in Step 1, configure 2FA in Probely as follows:

  1. Go to the target settings.

  2. Select the AUTHENTICATION tab.

  3. In the TWO-FACTOR AUTHENTICATION (2FA) section, fill out the configuration values:

    1. If the Login Form is in use.

      Fill out the SEED / SECRET and two CSS SELECTOR values on the 2FA form.

    2. If the Login Sequence is in use.
      Fill out the values for SEED / SECRET and OTP CODE (the one saved while recording the login sequence in step 1).

With this configuration complete, Probely should be able to authenticate with 2FA and scan the target.

Read the following articles to learn more about other authentication options for your targets:

Did this answer your question?