Welcome to the new Parasoft forums! We hope you will enjoy the site and try out some of the new features, like sharing an idea you may have for one of our products or following a category.

How Does SOATest and Selenic (and other Parasoft tools) Work With Multi-factor Authentication (MFA)?

Speedy993
Speedy993 Posts: 65
in SOAtest

We are being pushed to implement multi-factor authentication in all of our applications. Unfortunately, this will cause major problem with our build and deploy process and our automated testing.
We are looking at creating a set of userids that are only used for build and testing but I am also wondering how others have handled it. We are going to have to present our case to the security people and would like to have some ideas and recommendations.

Thanks for any information you may have.

Tagged:

Best Answers

  • benken_parasoft
    benken_parasoft Posts: 1,278 ✭✭✭
    edited September 4 Answer ✓

    Suggestions from Selenium docs:
    https://www.selenium.dev/documentation/test_practices/discouraged/two_factor_authentication/

    Also related:
    https://www.selenium.dev/documentation/test_practices/discouraged/captchas/

  • benken_parasoft
    benken_parasoft Posts: 1,278 ✭✭✭
    edited September 4 Answer ✓

    Security mechanisms like MFA and CAPTCHA are intended to require human interaction and defeat automation. So, attempting to do the opposite may have little chance of success. This is a general test automation challenge, not Parasoft-specific, which is why I linked to the suggestions from Selenium. I would consider those suggestions.

    I can also share some experience I have had. I once wrote a SOAtest test suite with an Extension tool just to pop up a dialog so I could manually enter a time-based MFA code. After manually entering the code, my test suite made a REST API call to exchange the code for a temporary access token. This access token could then be used to authorize the other REST API calls in my scenario. This is something I did a while back as part of a proof-of-concept. Obviously, this doesn't work for automation where I would likely have to disable MFA for my user.

    I have never done this so I want to stress that the following may not work. If I were to attempt to automate the interaction with the Microsoft Authenticator app then I'd do this with Appium. In other words, instead of my Extension tool opening a dialog perhaps it could use Appium's java-client to automate the approval. I have just never tried this nor come across any success stories of anyone doing that with Appium.

Answers

  • jakubiak
    jakubiak Posts: 806 admin

    Follow up from @Speedy993 that was posted to another forums topic:

    Thanks for replying so quickly. The issue we are having is that the way MFA is being implemented involves having to open the Microsoft Authenticator app in our phones and enter the number displayed before navigating to the application logon screen. Is the only way around this is to configure Entra to allow certain userids to bypass the MFA prompt? I am not sure what you mean by accessing the database to retrieve the data. Also, it appears the link is no longer active.

  • Speedy993
    Speedy993 Posts: 65

    Thanks jakubiak and benken_parasoft for your replies. I appreciate all of your feedback. It appears that the easiest way to get around the MFA is to for the test userid to bypass the MFA requirements. I think we may be allowed to have this since the ids can be limited to our test environments. At this point my coworkers and I are gathering information to present to the security team.
    Thanks again!

Categories

Tagged