How-To: Configuring Your Target for DAST with 2FA Enabled

Last updated: June 3, 2026

Introduction

If your application enforces Two-Factor Authentication (2FA/MFA), Astra's DAST scanner may not be able to log in and scan effectively without additional configuration. Below are four methods you can use to enable scanning on targets protected by MFA.

Prerequisites

  • Access to the Target Settings in your Astra dashboard.

  • The Chrome DevTools recorder to capture login sequences.

  • For custom scripts, you must have the ability to export recordings as Puppeteer JS files.

Instructions

Option 1: Use a Static OTP for Staging Environments

This is the most seamless method for testing environments that allow a fixed code for bypass.

  1. Verify your staging environment supports a static OTP..

  2. Use the Chrome Login Recorder to record your login flow.

  3. Enter the static OTP during the recording process as you normally would.

  4. Upload the resulting recording file to the Target Settings > User credentials >Login Recording section of your dashboard.

  5. Add your test user's email and password in Target Settings > User credentials

Option 2: Disable MFA on Dedicated Test Accounts

If static OTPs are not supported, you can bypass the prompt entirely by using an unprotected account.

  1. Create a dedicated testing account within your application.

  2. Disable MFA specifically for that account.

  3. Record the login sequence (which will no longer show a 2FA prompt) and upload it to Login Recording.

  4. Add this user's credentials to the User Roles section in the Astra dashboard.

Option 3: Custom Login Script (For TOTP-based MFA)

If you use an authenticator app (e.g., Google Authenticator), Astra can implement a script to generate these codes dynamically.

  1. Record your login flow using Chrome and enter any valid OTP code during the process.

  2. Export the recording as a Puppeteer JS file (ensure it is not a JSON file).

  3. Ensure user credentials are saved in Target Settings.

  4. Raise a support ticket at help@getastra.com including:

    • A link to your Target Settings page.

    • The exported JS file.

    • The TOTP MFA secret (seed) used to generate your codes.

  5. Astra will implement the logic and notify you once the custom script is active.

Option 4: Set Authentication Headers Manually

This is a quick workaround for one-off scans but is not recommended for automated pipelines.

  1. Log in to your application manually in your browser.

  2. Open DevTools > Network tab and copy your Authorization header or session cookies.

  3. Navigate to Target Settings > Advanced settings in the Astra dashboard.

  4. Paste the header name and value there.

Expected Outcome

The scanner will be able to bypass 2FA prompts and perform an authenticated crawl, allowing it to identify vulnerabilities within restricted areas of your application.

Troubleshooting & Limitations

  • Manual Header Expiration: Be aware that tokens copied manually will expire, requiring you to refresh them before every scan.

  • Unsupported MFA: Astra currently supports TOTP and Email MFA; SMS OTP support is not currently available.

  • CI/CD Compatibility: Only Options 1, 2, and 3 are suitable for automated CI/CD pipelines.

  • Connection Errors: If the scanner still cannot log in, ensure you have allowlisted Astra's static IP addresses in your firewall or MFA system.

Summary

Method

MFA Required

Automation-Friendly

Best For

Static OTP

Yes

Yes

Staging/test environments

MFA Disabled for Test Users

No

Yes

Isolated test accounts

Custom Script via Support

Yes (TOTP)

Yes

TOTP-protected logins

Manual Auth Headers

Yes

No

One-off scans or manual testing

For any questions or help with setup, please reach out to our support team via the in-dashboard support widget or by raising a support ticket.