Skip to main content

How to set up Target 2FA with TOTP

Learn how to set up the scanner to log into targets with Two-Factor Authentication (2FA) using a Time-based One-time Password (TOTP).

Ana Pascoal avatar
Written by Ana Pascoal
Updated over a month ago

Two-factor authentication (2FA) strengthens authentication with an additional layer of security that requires presenting an extra piece of evidence (the possession factor) to an authentication mechanism of a website or application. To obtain the possession factor, you can use an authenticator like Google Authenticator, 1Password, Authy, or Microsoft Authenticator, which provides a random code that changes frequently. This random and temporary code is called a Time-based One-time Password (TOTP).

In Snyk API & Web, you can scan websites or applications that use 2FA by configuring the Time-based One-Time Password (TOTP) option under the Two-Factor Authentication (2FA) section of your target settings.


Snyk API & Web also allows you to set up 2FA with Other OTP (One-time Password). To learn more about it, read this article on how to set up Target 2FA with an alternative OTP.

After setting up your target authentication with Login Form or Login Sequence, the 2FA configuration with TOTP in Snyk API & Web involves two steps:

  1. Obtain information on the 2FA configuration of the website or application.

  2. Configure 2FA in Snyk API & Web for the respective target.

This article describes these steps in detail.

Step 1: Obtain the 2FA Configuration

The configuration of 2FA in Snyk API & Web requires some information from the 2FA configuration of the website or application, namely:

  1. The 2FA seed / secret.

  2. The CSS selectors (if the Login Form is in use).

  3. The TOTP code (if the Login Sequence is in use).

Go to the 2FA configuration of the website or application, and follow these steps:

  1. The 2FA seed / secret
    The seed / secret is obtained when the QR Code is displayed to be scanned by the authenticator app installed on the phone (e.g., Google Authenticator, 1Password, Authy, Microsoft Authenticator, etc.).

    Obtain the secret in one of the following ways:

    1. The secret is available on the page together with the QR Code.
      For example, GitHub has a link to show the secret.

    2. Use a QR Code scanner app on the phone to scan the QR Code.
      The QR Code link that is obtained contains the secret in it.
      For example: otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example


    After scanning the QR Code with the authenticator app, it will start providing TOTP codes, allowing you to complete the 2FA configuration for the website or application.

    Depending on which authentication you have configured for your target, follow on to step 2 or 3.

  2. CSS Selectors (if the Login Form is in use)
    Log in to the website or application, and, when the 2FA form requests the TOTP code, obtain the following information:

    • The CSS selector of the input widget of the TOTP code.

      This selector will depend on whether your site uses a single input field for the authenticator code or multiple.

      Use case 1: Single input field

      In this example, the CSS selector needed should be something like #totp.

      Use case 2: Multiple input fields

      If your site has the form split into several input fields, you may need to configure this using multiple CSS selectors, like so: split::selector-field-1::selector-field-2::selector-field-3::selector-field-4::selector-field-5::selector-field-6

    In this example, it would be: split::#otp-digit-1::#otp-digit-2::#otp-digit-3::#otp-digit-4::#otp-digit-5::#otp-digit-6

    • The CSS selector of the submit button.
      For example, body > form > p:nth-child(3) > button


    Learn more about how to obtain CSS selectors.

  3. TOTP code (if the Login Sequence is in use)
    So that Snyk API & Web can use the TOTP code in a login sequence, you have to record a new login sequence with the 2FA and update the target login sequence (see How to set up Target Authentication with a Login Sequence).

    During the recording, take note of the TOTP code that you used because you will need it for the next step.

Step 2: Configure 2FA in Snyk API & Web

With the information obtained in Step 1., configure 2FA in Snyk API & Web as follows:

  1. Go to the AUTHENTICATION tab of the target settings.

  2. If LOGIN FORM is enabled, because you have set up Target Authentication with Login Form, scroll down to the Two-Factor Authentication (2FA) section.

    In the form, do the following:

    1. Tick the checkbox My target requires Two-Factor Authentication (2FA).

    2. Leave the default Time-based One-Time Password (TOTP) selected.
      For the other option, read this article on How to set up Target 2FA using an alternative OTP.

    3. Fill out the SEED / SECRET with the value obtained in step 1.

    4. Fill out the two CSS SELECTORs with the values obtained in step 1.

    5. Click on Save and enable.

  3. If LOGIN SEQUENCE is enabled, because you have set up Target Authentication with Login Sequence, scroll down to the Two-Factor Authentication (2FA) section.

    In the form, do the following:

    1. Tick the checkbox My target requires Two-Factor Authentication (2FA).

    2. Leave the default Time-based One-Time Password (TOTP) selected.
      For the other option, read this article on How to set up Target 2FA using an alternative OTP.

    3. Fill out the values for SEED / SECRET value obtained in step 1.

    4. Fill out the OTP CODE (the one saved while recording the login sequence in step 1).

    5. Click on Save and enable.

With this configuration complete, Snyk API & Web should be able to authenticate with 2FA and scan the target.

Read the following articles to learn more about other authentication options for your targets:

Did this answer your question?