Alexey Alter-Pesotskiy

1 minute read

How to programmatically bypass 2FA

Introduction

There is a chance that one day you’ll be asked to enter a two-factor authentication (2FA) code. There is even a possibility that you’ll be asked to enter a code every time you log in. Such a good area for automation, isn’t it?

My notes are usually dancing around mobile automation, so let’s imagine we have an idea to bypass 2FA on Play Store as part of our automation script.

Action

Indeed the first time we have to log in manually, but instead of a QR code, we’ll use a secret key.

  1. Navigate to myaccount.google.com/security using the account that will be used in the automation script

  2. Click on 2-Step Verification section

    Preview
  3. Provide an email and a password and click on the Next button

  4. Click on the Authenticator App section (or on the Change Phone link in that section if the app was already set up for this account)

    Preview

  5. Select the Android or iPhone radio button and click on the Next button

    Preview

  6. Click on the Can’t Scan It option (it will generate the secret key for manual use)

    Preview
  7. Open any Authenticator app on your iOS or Android device (e.g.: Duo Mobile)

  8. Add a new account in the Authenticator app using the account email and the secret key from the previous step

    Preview
  9. Return to the browser window and click on the Next button
  10. Generate a Time-based One-Time Password TOTP using the Authenticator app on your device

  11. Jump back on the browser window, enter the TOTP verification code and click on the Verify button

    Preview

That’s it, we logged in. Now it’s time to automate the process. We’re not going to open the Authenticator app every time we log in, are we?

  1. Install OATH Toolkit on your machine:

     brew install oath-toolkit

  2. Generate the TOTP verification code:

     oathtool --base32 --totp "${YOUR_SECRET_KEY}"

Cool beans, the output of the last command is the TOTP verification code. Check it out!

Conclusion

Although 2FA is a truly secure thing, but as you might have noticed, it’s also a kind of developer-friendly tool, and to bypass it from the script, automation test or whatever we can simply use oathtool at the moment of logging in. Hope it helps. See ya later (:

Updated: