Skip to content

Two-Factor Authentication (2FA) Support for Scans

Overview

Our platform fully supports applications protected by Two-Factor Authentication. Whether your app uses SMS, TOTP (authenticator apps or similar), passwordless, or browser-based authentication, the scanner can automatically pass the 2FA step and continue the assessment without manual input.

What This Enables

  • Fully automated scans even with multi-step authentication
  • End-to-end coverage of the entire login flow
  • Real-time OTP handling (SMS retrieval / TOTP generation)
  • Compatibility with all major 2FA implementations

Supported 2FA Methods

1. SMS-Based 2FA

OTPs delivered via text message.

How it works 1. Your app sends an SMS OTP to the testing number.
2. The platform captures the message.
3. The OTP is injected automatically into the login flow.
4. The scan continues without interruption.

What we need from you - The sender phone number that your application uses to send OTP codes (i.e., the number that appears as the sender when users receive verification codes) - A test account configured with the provided test number

2. TOTP (Time-Based One-Time Password) / Authenticator Apps

Standard 30-second rotating codes used by authenticator apps (Google Authenticator, Microsoft Authenticator, Authy, etc.) and most authentication systems.

How it works - You provide the TOTP secret key (seed). - The scanner generates valid TOTP codes in real time. - Works with any TOTP-compliant implementation.

What we need from you - A Base32 TOTP seed (e.g., JBSWY3DPEHPK3PXP) - This is the same key shown during initial QR code setup or when configuring an authenticator app.

Configuring 2FA for Scans

Step 1 — Add 2FA Credentials

For SMS 2FA

  1. Request a test phone number from support.
  2. Create a test user account tied to that number and enable 2FA.
  3. Add the username/password under scan credentials.
  4. Add the phone number as a credential if needed during login.

For TOTP / Authenticator Apps

  1. Navigate to the Credentials section.
  2. Add the TOTP seed (Base32 string).
  3. Without the seed, TOTP-based authentication cannot succeed.

Step 2 — Define the Full Authentication Flow in Your Prompt

Your prompt must clearly describe each login step, including 2FA.

Your instructions should cover: 1. Navigate to the login page
2. Enter username and password
3. Detect the 2FA prompt
4. Retrieve or generate the OTP using the provided credential reference
5. Enter the OTP
6. Confirm successful authentication

The scanner executes your instructions and automatically uses the correct 2FA credential during the flow.