Using two-factor authentication

Two-factor authentication augments the standard password, which is defined as the "something you know" factor, with one of the following:

Something you have, such as a one-time passcode (OTP) sent by SMS or email
Something you are, such as your fingerprint, face, or retina

While this second factor of authentication improves security, it adds a layer of complexity when conducting an automated scan of web applications that implement it.

OpenText engineers have developed a method and process that enable OpenText DAST and the Event-based Web Macro Recorder to automate the "something you have" factor of two-factor authentication.

How scanning with two-factor authentication works

OpenText DAST includes a Node.js server that you configure for a control center to process the SMS and email responses coming from your application server. There is also a mobile application that forwards SMS responses to the control center. The control center queues the responses and forwards them to the appropriate TruClient browser when needed for authentication.

Recommendation

We strongly recommend that you use test phones and test email addresses only. For privacy concerns, do not use personal phones and email addresses.

Known limitations

The following known limitations apply to the two-factor authentication feature:

IMAP and POP3 servers are supported. However, only POP3 servers that support unique ID listing (UIDL) are supported.
Currently, login macros with two-factor authentication using email support only the Basic authentication method for IMAP or POP3.
Currently, only Android mobile phones are supported.
The mobile phone requires a Wi-Fi connection in the same subnet where OpenText DAST is installed.

Facts about Gmail accounts

Be aware of the following facts related to Gmail accounts:

Gmail account settings include normal mode and recent mode. If you use a Gmail account and experience issues with new incoming emails, using recent mode might resolve this issue. To enable recent mode, configure the account name in your POP3 account settings using the following format:

recent:<email_address@gmail.com>
For security, Google uses "Sign in with Google" to connect Gmail to a user's Google account and does not accept user-created passwords. When using a Gmail account, you must create and use a Google app password. For more information, refer to Google account documentation for creating and using app passwords.

Understanding the process

The following table describes the process for conducting a scan using two-factor authentication.

Stage	Description
1.	In the OpenText DAST application settings for two-factor authentication, do the following: Configure the two-factor authentication control center Configure the mobile application (if SMS responses are used) For more information, see Application settings: Two-Factor Authentication.
2.	In the Event-based Web Macro Recorder, record a login macro and modify it as follows: Add and configure a Two-factor authentication group step. Note: You must configure the group step for SMS or email responses. The group step includes a Wait for 2FA step that you must also configure. Optionally, create username, password, phone number, email, and email password parameters. Using parameters for two-factor authentication enables you to conduct a multi-user login scan. Configure the Wait for 2FA step. Add a Generic Object Action step and configure it as a Type step. Add a Generic Object Action step and configure it as a Click step. For more information, see the OpenText™ Dynamic Application Security Testing Tools Guide.
3.	In the Web Macro Recorder, replay the login macro.
4.	Optionally, if conducting a multi-user login scan, add credentials for username, password, phone number, email, and email password in the Scan Settings: Authentication window. For more information, see Multi-user login scans and Scan settings: Authentication.
5.	In OpenText DAST, run a scan using the macro.