Two-factor authentication (2FA) strengthens authentication with an additional layer of security that requires presenting an extra piece of evidence – the extra factor – to an authentication mechanism of a website or application.

The first factor usually takes the form of a password that only the user should know, hence why it’s called the Knowledge Factor; but we all know passwords can be compromised.

Adding a second factor in combination with the first one, something that the user possesses (the Possession Factor) and that is fleeting or that can be used only once, adds an extra layer of security that gives added protection even in cases when that first factor might get compromised. This possession factor usually takes the form of a code that is generated upon the user’s request.

The dynamic nature of these generated codes has them change over time. Even if a malicious actor were to intercept or obtain a code, it would become useless after a short period, which would make it more challenging for attackers to reuse stolen codes. And that is exactly the reason why many of the more security conscious online services and organizations, such as banking or healthcare institutions, chose to implement 2FA to protect user accounts from unauthorized access.

Still, although integrating 2FA into your security practices is an extremely recommended practice nowadays, it also brings extra complexity to vulnerability scans, causing most scanners to hit roadblocks with the extra security layer.

Probely addresses this by offering a streamlined approach to setting up and performing comprehensive scans on targets protected with 2FA without compromising the robust protection that 2FA offers to your websites and applications.

With Probely, you simply have to set up your target’s authentication and configure the 2FA extra layer, with one of two methods for the possession factor we mentioned before.

Time-based One-time Password (TOTP)

The factor is obtained using an authenticator like Google Authenticator, 1Password, Authy, Microsoft Authenticator, or others, which provides a random code that changes periodically. This random and temporary code is called Time-based One-time Password (TOTP).

You can explore and learn more in this article on How to set up Target 2FA with TOTP.

Alternative OTP (Other OTP)

The factor is obtained as a random code sent through a communication channel like an email or a text message. This random code is called a One-time Password (OTP).

You can explore and learn more in this article on How to set up Target 2FA using an alternative OTP.

After completing the configuration, run your target scans, and Probely won’t get blocked by 2FA while exploring the URLs of your website or application to find vulnerabilities.

Scanning websites and applications with 2FA is made easier by using Probely, as we’ve streamlined and simplified the way the 2FA configuration is done – even if the setup is a bit more involved. Much like everything else we do when it comes to ease of setup and use of the product, with the end user in mind: you shouldn’t have to run through hoops to enhance your security practices. And if your scanner’s struggling with this specific hoop, it might be time to try something new.