Secure Handling of 2fa during UI automated tests
Time-Based One-Time Passwords (TOTP) have become essential in enhancing security, especially in systems that employ two-factor authentication (2FA). TOTP provides a temporary code that users must enter within a limited time frame to verify their login attempt. However, as secure as TOTP is, it presents challenges in automated testing environments where login actions need to be replicated.
Understanding the Security Risks
It’s essential to be aware of potential security risks when using TOTP in testing:
-
Personal Accounts: Never utilize your personal TOTP token or account within a testing context. Any unintended exposure of this token can provide malicious entities access to your actual accounts.
-
Secret Storage: The key responsible for generating the TOTP should always be securely stored. Embedding these keys directly into the code or leaving them in plain-text configuration files can lead to unauthorized access if compromised.
Best Practices
To address the above risks, it’s recommended to:
-
Use Service Accounts: Always opt for service accounts specifically tailored for testing. Such accounts should possess restrictive permissions and shouldn’t be granted access to production or confidential data.
-
Secure Storage Solutions: Use secure solutions like AWS Secrets Manager or equivalent platforms to ensure the secret keys are encrypted and only available to those with the right permissions.
Code Example using TOTP-generator
For those using JavaScript within a Cypress testing environment, here’s how the TOTP-generator can be implemented:
First you should fetch and store the secret key(not scan with your phone, only when you have written down the secret, in this example LNUI4IEWHCHIFTRA, which does not exist anymore), and then you can use one of the various npm packages (in javascript)
to fetch your response
const totp = require("totp-generator");
describe('Login Test with TOTP', () => {
it('should successfully log in using TOTP', () => {
const secret = "YOUR_SECRET_KEY_RETRIEVED_FROM_SECURE_SOURCE"; e.g. LNUI4IEWHCHIFTRA
const token = totp(secret);
cy.visit('https://your-login-website.com');
cy.get('#usernameField').type('TestAccountUsername');
cy.get('#passwordField').type('TestAccountPassword');
cy.get('#totpField').type(token);
cy.get('#submitButton').click();
});
});Ensure that your secret key is not hardcoded and is retrieved from a secure location before running the test.
Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=ralphvanderhorst
