What is MFA/2FA?
MFA and 2FA both mean the same thing: multi-factor authentication. Adding MFA to your site makes it harder for attackers to impersonate your legitimate users by requiring every user to provide not just a password, but also another way of identifying themselves. MFA codes are only valid for 30-60 seconds, so even if an attacker sees your code when you log in, that code does them no good 60 seconds later.
For the rest of this document, we'll use the term MFA.
There are 3 popular MFA techniques:
Email: When the user logs in, the site emails the user a code, and the user must provide that code.
SMS: When the user slog in, the site sends a text message with a code to the user's cell phone, and the user must provide that code
TOTP: Requires a smart phone. Stands for time-based one-time password.
One-time setup: The user scans a QR code with an authenticator app to set up once (such as Microsoft Authenticator or Google Authenticator). The app generates a unique code every 30-60 seconds.
When the user logs in, they must look at this app and provide the current code.
If my site uses MFA, how do I test my site with ObservePoint?
Option 1: Bypass MFA (preferred)
By far the most convenient and effective option is to configure your MFA tool to bypass MFA challenges for ObservePoint.
There are two options to bypass MFA:
Option 1a: Bypass by IP address
Most MFA vendors offer features that allow you to bypass MFA for the IP addresses of automated test systems like ObservePoint. This is one of the reasons ObservePoint uses static IP addresses: you can configure your MFA system to bypass the MFA challenge for ObservePoint IP addresses, which are documented here: https://help.observepoint.com/en/articles/9101465-allow-exclude-observepoint-traffic
How to bypass MFA by IP address for popular vendors:
If your site uses a self-developed MFA system (i.e., there is no vendor), talk to your development team about whether they allow bypassing the MFA system by IP address for automated testing systems.
Option 1b: Bypass by User
Some MFA vendors also allow certain user accounts to bypass MFA. It's common for ObservePoint users to create test accounts on their website. If your vendor allows you to bypass MFA for certain users, this is also an effective solution.
One clue to know that this will work for your use case is if the MFA system prompts the user for their MFA code after providing their username or password. If the MFA system prompts the user before they identify themselves, then you can't use this option. You can bypass by IP address instead (see above).
Option 2: Implement MFA in ObservePoint
This option requires more effort and tends to be less stable than option 1. This is because it doesn't follow the spirit of MFA systems, some of which are intended to identify real human users. ObservePoint is not a human user, so you may encounter friction. With that caveat, read on for options.
Option 2a: Email
This option requires you to set up a real email address that can receive MFA codes. ObservePoint has the ability to integrate with some email systems to receive these codes in audits and journeys. Talk to your ObservePoint success manager about setting this up.
Option 2b: SMS
This option is by far the most challenging. Most programmable SMS vendors (like Twilio) do not want the liability of allowing their customers to build automated systems that can authenticate via MFA through their service. ObservePoint has a list of vendors that work with this requirement. Talk to your ObservePoint success manager about setting this up.
Option 2c: TOTP
This option is the easiest of the 3 to implement and the most reliable. This option is more technical than the others, because it involves writing JavaScript code.
Create pre-audit actions:
Navigate to the login page
Enter the username
Enter the password
Execute JavaScript to generate a TOTP token and enter it: sample code