All Collections
Quick how to's!
Authentication
How to set up Target Two-Factor Authentication (2FA)
How to set up Target Two-Factor Authentication (2FA)

Learn about how to set up the scanner to log into targets protected by Two-Factor Authentication (2FA).

J
Written by Jaime Vasconcelos
Updated over a week ago

Two-factor authentication (2FA) strengthens authentication with an additional layer of security that requires presenting an extra piece of evidence (the factor) to an authentication mechanism of a website or application. To obtain that factor, a third-party authenticator (TPA) provides a random code that changes frequently. This random and temporary code is also known as One Time Password (OTP).

Probely allows configuring 2FA to scan websites or applications with 2FA enabled.

Configuring 2FA in Probely involves two steps:

  1. Obtain information on the 2FA configuration of the website or application.

  2. Configure 2FA in Probely for the respective target.

This article describes these steps in detail.

Step 1: Obtain the 2FA Configuration Information

The configuration of 2FA in Probely requires some information from the 2FA configuration of the website or application, namely:

  1. The 2FA seed / secret.

  2. The CSS selectors (if the Login Form is configured at Probely).

  3. The OTP code (if the Login Sequence is configured at Probely).

So, first, go to the 2FA configuration of the website or application.

The seed / secret is obtained when the QR Code is displayed to be scanned by the TPA app installed on the phone (e.g., Google Authenticator, 1Password, Authy, Microsoft Authenticator, etc.).

Obtain the secret in one of the following ways:

  1. The secret is available on the page together with the QR Code.
    For example, GitHub has a link to show the secret.

  2. Use a QR Code scanner app on the phone to scan the QR Code.
    The QR Code link that is obtained contains the secret in it.
    For example: otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example

After scanning the QR Code with the TPA app, it will start providing OTP codes, allowing you to complete the 2FA configuration for the website or application.

Now, Probely needs the following information:

  • CSS Selectors (if the Login Form is configured)
    So that Probely can use the OTP code in the 2FA form, login to the website or application, and when the 2FA form requests the OTP code, obtain the following information:

    • The CSS selector of the input widget of the OTP code.
      For example, #otp.

    • The CSS selector of the submit button.
      For example, body > form > p:nth-child(3) > button


    Learn more about how to obtain CSS selectors.

  • OTP code (if the Login Sequence is configured)
    So that Probely can use the OTP code in a login sequence, record a new login sequence of the website or application with 2FA, and save the OTP code used for later.

Step 2: Configure 2FA in Probely

With the information obtained in Step 1, configure 2FA in Probely as follows:

  1. Go to the target settings.

  2. Select the AUTHENTICATION tab and

  3. In the TWO-FACTOR AUTHENTICATION (2FA) section, fill out the configuration values:

    1. If Login Form is in use

      Fill out the seed / secret and CSS selectors of the widgets of the 2FA form.

    2. If Login Sequence is in use
      Fill out the seed / secret and the OTP code (the one saved while recording the login sequence in step 1).

With the 2FA configuration complete, Probely should be able to authenticate with 2FA and scan the target.

Did this answer your question?