Synthetic Monitoring - MFA

Benedikt · ‎09 Jan 2024

Hello,

I am trying to set up synthetic monitoring for an internal website. I want to use a browser monitor for that.

The problem is, that the website requires MFA, so the password and a code. Currently the code is generated by the Google Authenticator App.

How is it possible to either avoid the MFA or to find a way to get the code.

Thank you in advance,

Benedikt

radek_jasinski · ‎09 Jan 2024

Hi @Benedikt

Setting up synthetic monitoring for a website that requires multi-factor authentication (MFA), like the one using Google Authenticator, can be challenging due to the dynamic nature of MFA codes. Dynatrace generally have limitations in handling MFA during automated testing because MFA involves dynamically generated, time-sensitive tokens.

However, there are a few approaches you could consider:

Using API to Fetch MFA Codes: In some instances, it's possible to use an API to obtain the MFA code. For example, a community member on the Community discussed a method involving fetching the MFA code through an API call and then using JavaScript to input this code into the synthetic script. This method can be complex and may not be supported by all MFA systems.

https://community.dynatrace.com/t5/Synthetic-Monitoring/Multi-factor-authentication-for-synthetics/m...

Radek

Have a nice day!

Benedikt · ‎09 Jan 2024

Hello Radek,

thank you very much. Is this also possible with google authenticator? There is no URL where you can get the code from, you have to have the app installed.

radek_jasinski · ‎09 Jan 2024

Yes, for Google you have an API available for which you download the code .

Have a nice day!

Benedikt · ‎09 Jan 2024

Hello Radek,

thank you. I looked into it for now a couple of hours, but I am not sure how to do it.

In case you already have some experience, I would be happy, if you could share some knowledge.

AntonioSousa · ‎09 Jan 2024

@Benedikt,

Software-based authenticators, as Google Authenticator, aren't "secret" algorithms; in fact they are RFC documented, as in RFC 4226 and RFC 6238.

To start, you would need an OTP application. A good list is available at: https://en.wikipedia.org/wiki/Comparison_of_TOTP_applications

After you get the latter working, you would proceed to the strategy that I mentioned in the link @radek_jasinski mentioned.

Be advised that this is a very difficult project to setup! This is not for the faint-hearted...

Antonio Sousa

Benedikt · ‎10 Jan 2024

Hi @Antonio,

okay, sounds difficult. I'll have to ask how much time we want to spend on it.

Would it be easier if instead of using MFA for the application, we use an API key?

The application supports both, MFA and authentication via API keys.

In case this would be easier, how would it be done with an API key?

AntonioSousa · ‎10 Jan 2024

@Benedikt,

Yes, much, much easier.

Typically, an API key is a header and you can define them in browser monitors:
https://docs.dynatrace.com/docs/platform-modules/digital-experience/synthetic-monitoring/browser-mon...

Antonio Sousa

Babar_Qayyum · ‎09 Jan 2024

Hello @Benedikt

We had gone through with this challenge and then taken another path to fulfill this requirement. I am sharing it here, in case this can help you out.

We asked for a couple of dummy users and passwords (without MFA) with login access only (no other functions were enabled for those users from the backend) and then used those users to create browser clickpaths to validate that the login service is available and performing according to the SLA.

Regards,

Babar

Benedikt · ‎09 Jan 2024

Hello,

thank you. That would be my last straw, we would like to monitor, if the MFA is working too.