If your application enforces Two-Factor Authentication (2FA/MFA), Astra's DAST scanner may not be able to log in and scan effectively without additional configuration. Below are four methods you can use to enable scanning on targets protected by MFA.
Option 1: Use a Static OTP for Staging Environments
Many staging environments support a static OTP for end-to-end testing purposes. This means the same OTP can be used repeatedly to bypass 2FA.
To use this method:
Ensure your staging environment allows a static OTP.
Provide Astra with the usual credentials (email and password) in the Target Settings > User Roles section.
Record the login sequence and upload in the Target Settings > Login Recording section. 📄 How to record a login sequence with Chrome DevTools recorder?
Use Google Chrome’s Login Recorder to record your login flow. Reference: 📄 How to record a login sequence with Chrome DevTools recorder?
During the recording, enter the static OTP code as usual.
Upload the login recording file and upload to the Astra dashboard as usual
This is the most seamless way to enable scanning on MFA-protected targets.
Option 2: Disable MFA on Test Accounts
If static OTPs aren’t available, another approach is to disable MFA for the test accounts you configure in Astra.
Steps:
Create a dedicated testing user account in your application.
Disable MFA for that account.
Go to your Astra dashboard > Target Settings, and add the email and password for that user in the User Roles section
Record the login sequence and upload in the Target Settings > Login Recording section. 📄 How to record a login sequence with Chrome DevTools recorder?
This lets the scanner log in without encountering 2FA prompts.
Option 3: Ask Astra to Implement a Custom Login Script (For TOTP-based MFA)
If neither of the above methods are possible, you can request Astra to build a custom login script that handles TOTP-based MFA (e.g., Google Authenticator, Authy).
How to do this:
Use Google Chrome’s Login Recorder to record your login flow. Reference: 📄 How to record a login sequence with Chrome DevTools recorder?
During the recording, enter the OTP code as usual.
Export the recording as a Puppeteer JS file (not JSON).
Ensure the test user credentials (email & password) are already added to the Astra Target Settings.
Collect the following and raise a support ticket:
Link to the Target Settings page in your Astra dashboard.
The exported Puppeteer login script (JS file).
The TOTP MFA secret used for generating OTPs.
Note: Currently, Astra only supports TOTP-based MFA. Email/SMS OTP support is on our roadmap.
Once received, the Astra team will:
Implement the custom login logic,
Test the login flow,
Upload the working script to your target settings, and
Notify you when it’s ready.
Option 4: Set Authentication Headers Manually
If you prefer a quicker workaround or cannot alter your MFA settings, you can manually provide authentication tokens using Astra's Extra Headers feature.
Steps:
Log in to your application manually.
Open your browser’s DevTools → Network tab.
Copy the
Authorizationheader or authentication cookies.Go to your Target Settings > Extra Headers in the Astra dashboard and paste these values.
Limitation: Tokens expire over time. This method doesn’t work well with scheduled scans or CI/CD pipelines as you’ll need to manually refresh the token.
Summary
Method | MFA Required | Automation-Friendly | Best For |
Static OTP | ✅ Yes | ✅ Yes | Staging/test environments |
MFA Disabled for Test Users | ❌ No | ✅ Yes | Isolated test accounts |
Custom Script via Support | ✅ Yes (TOTP) | ✅ Yes | TOTP-protected logins |
Manual Auth Headers | ✅ Yes | ❌ No | One-off scans or manual testing |
For any questions or help with setup, please reach out to our support team via the in-dashboard support widget or by raising a support ticket.