How to programmatically bypass 2FA
This Note originally published on my Personal Blog here. Read original note so that you won’t miss any content.
Introduction
There is a chance that one day you’ll be asked to enter a two-factor authentication (2FA) code. There is even a possibility that you’ll be asked to enter a code every time you log in. Such a good area for automation, isn’t it?
My notes are usually dancing around mobile automation, so let’s imagine we have an idea to bypass 2FA on Play Store as part of our automation script.
Action
Indeed the first time we have to log in manually, but instead of a QR code, we’ll use a secret key.
1. Navigate to myaccount.google.com/security using the account that will be used in the automation script
2. Click on the “2-Step Verification” section
3. Provide an email and a password and click on the “Next” button
4. Click on the “Authenticator App” section (or on the “Change Phone” link in that section if the app was already set up for this account)
5. Select the “Android” or “iPhone” radio button and click on the “Next” button
6. Click on the “Can’t Scan It” option (it will generate the secret key for manual use)
7. Open any Authenticator app on your iOS or Android device (e.g.: Duo Mobile)
8. Add a new account in the Authenticator app using the account email and the secret key from the previous step
9. Return to the browser window and click on the “Next” button
10. Generate a Time-based One-Time Password (TOTP) using the Authenticator app on your device
11. Jump back on the browser window, enter the TOTP verification code and click on the “Verify” button
That’s it, we logged in. Now it’s time to automate the process. We’re not going to open the Authenticator app every time we log in, are we?
1. Install OATH Toolkit on your machine:
brew install oath-toolkit
2. Generate the TOTP verification code:
oathtool --base32 --totp "${YOUR_SECRET_KEY}"
Cool beans, the output of the last command is the TOTP verification code. Check it out!
Conclusion
Although 2FA is a truly secure thing, but as you might have noticed, it’s also a kind of developer-friendly tool, and to bypass it from the script, automation test or whatever we can simply use oathtool at the moment of logging in. Hope it helps. See ya later (: