Support for MFA logins

Multi factor authentication (MFA) is a layered approach to authentication that requires users to provide two or more forms of identification to log into an application. For example, in addition to entering a password, a user may have to enter a one-time code from an authenticator app on their phone to successfully log in.

Mabl supports automating tests for applications that use the following types of MFA:

• Time-based one-time password (TOTP) authentication
• Email one-time password (OTP) authentication

Time-based one-time password authentication

In an application that uses time-based one-time password (TOTP) authentication, the user provides two forms of authentication:

• A regular password
• An additional temporary code generated from a TOTP authenticator app, such as Google Authenticator, Microsoft Authenticator, or Authy

The temporary code in the authenticator app is only valid for a set period of time, such as 30 seconds. When the code expires, the authenticator app generates a new temporary code.

To learn how to automate a login that uses TOTP authentication, see the article on MFA authenticator login.

Email one-time password authentication

In an application that uses email one-time password (OTP), the user enters their username and password and requests a verification code. The application sends a verification code to the user's registered email address, and the user enters that verification code on the application to finish logging in.

To learn how to automate a login that uses TOTP authentication, see the article on logging in with an email verification code.

📘

MFA limitations

Mabl does not support automating login for apps that use the following:

• Okta Verify QR Codes
• Webauthn
• FIDO, such as USB Yubikeys

SMS 2FA is not supported, but if you are comfortable creating and maintaining JavaScript snippets, you may try this workaround from the mabl snippet repo to implement SMS 2FA: getLatestTwilioSms.js.