Multi-Factor Authentication (MFA)

Configure AppScan® to use one-time password or security questions (multi-factor authentication) when logging in.

One Time Password (OTP)

If your application uses OTP, select one of the two options, otherwise leave the default setting: None.

When you record the login procedure, AppScan will extract the relevant parameters from the traffic and add them to the OTP HTTP-parameters list. They will also be added to the OTP entry in Automatic Form Fill view. If AppScan fails to identify the parameters, you must add them yourself, either in this view or in Automatic Form Fill view.
Limitations:
  • Only one OTP type (TOTP or URL-generated) is supported per scan.
  • For TOTP only numerical values are supported.
  • When OTP is configured, Action-based must be the selected Login playback method in the Login playback. OTP will not work with Request-based login.
To see our short video demo, click the icon below:

How to identify the OTP HTTP-parameter

AppScan needs to know the name of the parameter that contains the OTP (in order to be able to log in to the application), and usually identifies it when validating the Recorded Login procedure. If it fails to do so, or if you use Automatic Login, you must add the parameter yourself.

To identify the parameter:
  1. Open a browser and go to your application's login page.
  2. Click F12 to open the developer tools pane of the browser (opens to the right of, or underneath, the main browser pane).
  3. Click on the Elements tab to view the HTML code.

    When you select a part of the code, the element is highlighted in the main browser pane.

  4. Locate the element that highlights the OTP field.
    Example:
    <input type="text" name="OTPvalue" value="">
  5. The value of the name parameter, without the quotation marks, is the OTP HTTP parameter you need.
    Example:
    OTPvalue
  6. If there is more than one OTP HTTP parameter, click Add another to add additional fields as needed.

Security questions

"Security questions" is a common method used by applications and websites to add an additional layer of security to user accounts. These questions are typically personal and require users to provide specific answers that only they should know. This extra step helps verify the user's identity, especially during password recovery or when accessing sensitive information.

If your application uses security questions for user authentication, it's essential to add them here. This enables AppScan to accurately identify and capture the security questions during the login recording, in-session detection, or login playback process.

To add security questions:
  1. Click + Add.
  2. Type in the question exactly as defined in your application.
  3. Type in the answer exactly as defined in your application.
  4. Optionally define the parameter.
  5. Click Apply.
Note: Ensure to include all security questions and answers used by your application. Failure to do so might lead to complications when scanning, recording logins, and accessing sensitive information using AppScan.

When you record login (with answer to question) or start the scan, AppScan will identify the security questions in the application during login or the scanning process after a successful login.

When using this feature, it is recommended to enable the SessionManagement:ShowActionBasedPlayerWindow flag to check that the questions are answered correctly. To enable this setting:
  1. Go to Tools > Options > Advanced
  2. Locate SessionManagement:ShowActionBasedPlayerWindow, and change its setting to True.
  3. Run a scan. The browser will open when scanning, and you can watch as AppScan explores your site including answers.