Automated Testing for Google Authenticator through Selenium

This blog is focussed on automating the usage of google authenticator. While writing automation scripts for certain highly secured websites, the process of scanning the code for authentication is a blocker running automated scripts. Well, this document is a solution to the blocker.

What is Google Authenticator?

Google Authenticator is mobile security Application, based on two-factor Authentication(2FA), that helps to verify user identities before granting them access to your website and/or services.

2FA authentication makes it less likely that an intruder can masquerade as an authorized user. And has also been a must for secure communications like bank sites, crypto applications and more.

Authentication factors are categories of credentials, used to verify that someone or something is who or what they are declared to be.

There are three categories:

1. Knowledge factors: Credentials that the user knows, typically a username and password
2. Possession factors: Things that the user has, typically a mobile phone
3. Inherence factors: Physical characteristics of the user, typically a biometric characteristic such as a fingerprint or an iris pattern.

Working of Google Authenticator

Authentication works for any website or service that has enabled the two-factor authentication. Like other web-based 2FA applications, the system combines knowledge and possession features.

Initially, you need to enter  credentials (username or password) to access websites or web-based services. Download the Google Authenticator app from Play store and scan the pattern through mobile. This will send an OTP to your device which is active for 30 seconds. Now, every time you access the website you need to enter the Authy. This combination verifies that the person, entering the login data on the site, is in possession of the device to which the Google Authenticator app was downloaded.

The Authenticator app is based on the Time-based One-Time-Password (TOTP) specified in the  IETF’s RFC 6238 document. The TOPT algorithm generates a six-digit password that factors in the current time of day to ensure that each passcode is unique. Passcodes are changed in every 30-60 seconds for further security.

Example:

Here is the screenshot for scanning Google Authenticator.

Now to proceed further, you need to scan the pattern shown in the screenshot through the mobile device after downloading the Google Authenticator. But the automation script can’t do that. As a solutions to that, check the above screenshot that displays a backup key. This backup key is what helps to generate the OTP through automation script.

After enabling 2FA, every time you access the website Authy will be mandatory to enter without which you won’t be able to get inside the website.

Now the question arises, how to automate the process i.e. enter the OTP through automation? Answer is that the first time you run the script to access the website/application, the backup key will appear. This backup key must be saved manually and use for automated authentication. Let’s check the code which provides the solution to automate 2FA through Automation.

import org.jboss.aerogear.security.otp.Totp;

    String otpKeyStr;

    String twoFactorCode;

    public void enteringAuthy() {

try {

otpKeyStr = “NQYVIS2VNU7GKTKU”; // <- this 2FA secret key.

Totp totp = new Totp(otpKeyStr);

twoFactorCode = totp.now();

logger.info(twoFactorCode);

sleep(2);

logger.info(“Entering Authy”);

enter2FA.sendKeys(twoFactorCode);

sleep(2);

logger.info(“Clicking on the submit button”);

clickBtn.click();

sleep(2);

} catch (Exception e) {

e.getMessage();

}

}

This code stores the key into a variable that will generate OR fetch the OTP every time we run the automation script.

Whenever the automation script runs, OTP will be fetched directly and the the key is stored only once until the account is reset. Below screenshot displays the page with the text-field which will take the OTP through the above automation script. The code uses POM (page object model) with page factory design pattern.

We have used “sendkeys” method which will automatically take the 6 digit code generated through the key into the textfield named “Enter 2FA.”

If in case, your 2FA is reset again due to some reason then you just need to change the 2FA key in the mentioned code.

Don’t forget to import the Totp library which is used to generate Time-based One-Time Passwords which implements the Time-based One-Time Passwords algorithm specified in RFC 6238.

This is all about the issue which we have faced during our project on automating the process of google authentication. Feel free to comment below for questions. We will be glad to answer.