TOTP / MFA (Two-Factor Authentication)

Test Time-based One-Time Password (TOTP) authentication automatically. TOTP is used by Google Authenticator, Authy, Microsoft Authenticator, and similar apps.

What is TOTP?

TOTP generates a new 6-digit code every 30 seconds based on a shared secret (seed). Examples:

• Google Authenticator
• Authy
• Microsoft Authenticator
• 1Password
• LastPass

Setup

1. Extract TOTP Seed

Your app generates a TOTP secret (usually shown as a QR code):

QR Code displayed on screen
│
├─ Scan with authenticator app
│  (app stores the secret)
│
└─ Or manually enter secret:
   JBSWY3DPEBLW64TMMQ======
   (base32 encoded)

Extract the base32 secret for your test account. Most apps show it during setup (sometimes in a “Can’t scan?” fallback).

2. Create Persona

Persona: "QA User 2FA"
├─ Auth Type: TOTP
├─ Email: qa-user@example.com
├─ Password: SecurePass123!
└─ TOTP Secret: JBSWY3DPEBLW64TMMQ======

3. Use in Tests

During execution, the AI:

1. Logs in with email + password
2. Reaches the “Enter 2FA code” screen
3. Calls pyotp to generate current 6-digit code
4. Enters code
5. Continues with authenticated state

How It Works

AI sees "Enter 2FA code" prompt

TOTP Secret in persona: JBSWY3DPEBLW64TMMQ======
Current time: 2024-03-08 14:23:45 UTC
30-second window: 14:23:30 - 14:23:59

pyotp calculates:
  HMAC-SHA1(secret, time_window)
  → 6-digit code: 234567

AI enters: 234567
Server validates against authenticator app's code
Login succeeds ✓

Configuration

Field Details

Finding Your TOTP Secret

In most apps:

1. Account Settings → Security → 2FA
2. Click “Can’t scan QR code?”
3. Copy the secret key (base32 format)
4. Paste into BugBrain persona

Example extraction:

Google account:
  Settings → Security → 2-Step Verification
  → Authenticator app → Can't scan?
  → Shows: JBSWY3DPEBLW64TMMQ======

Copy secret → Paste into BugBrain persona

Testing Both Success and Failure

Test Valid Code (Success Case)

Test: "User can login with valid 2FA code"
├─ Use Persona: QA User 2FA
├─ Navigate to login
├─ AI logs in
├─ AI enters TOTP code automatically
└─ Verify dashboard loads (success)

Test Invalid Code (Failure Case)

Test: "User cannot login with invalid 2FA code"
├─ Manually enter wrong code: 000000
├─ System should reject
├─ Verify error message appears

Note: BugBrain auto-enters correct codes in standard tests. To test invalid codes, manually override the step.

Multi-User TOTP Testing

Test role-based access with different TOTP users:

Test: "Admin and regular user see different dashboards"
├─ Step 1: Login as Admin (Persona: QA Admin with TOTP)
├─ Step 2: Verify admin dashboard
├─ Step 3: Logout
├─ Step 4: Login as User (Persona: QA User with TOTP)
├─ Step 5: Verify user dashboard (different layout)
└─ Result: ✓ Pass

Each persona has its own TOTP secret. Both work independently.

Troubleshooting

”Invalid authenticator code”

• TOTP secret incorrect (recheck base32 format)
• Server’s time out of sync (less common, contact admin)
• Code generation failed (contact support)

“Code already used”

• TOTP codes are one-time per 30-second window
• Timing mismatch between server and test environment
• Solution: Ensure server time is synced (NTP)

“Can’t find TOTP secret”

• Check account security settings → 2FA tab
• Look for “secret key” or “manual entry”
• Some apps don’t expose it (use QR code instead, can’t extract)

Security Best Practices

1. Use dedicated test accounts — Don’t expose production TOTP seeds
2. Rotate secrets quarterly — Disable old 2FA, set up new
3. Secure secret storage — Treat TOTP secret like a password
4. Don’t screenshot secrets — Never screenshot TOTP codes or seeds
5. Limit persona access — Only share with trusted team members

Limitations

• ❌ Can’t test recovery codes (not yet supported)
• ❌ Can’t test 2FA backup methods (SMS, email)
• ✅ Time-based TOTP (all standard authenticators)
• ✅ Base32 encoded secrets

Next Steps

• Email OTP — Passwordless testing
• Basic Auth — Simple credentials
• Session Management — Advanced caching