Skip to main content

Generate OTP authenticator token

Suhas Reddy
Updated

The OTP_Authenticator extension generates a time-based one-time password token from a shared authenticator secret. It is useful for 2FA or MFA login flows where your journey needs to enter the same short-lived token that an authenticator app would produce.

This is useful when an application requires a TOTP value during sign-in and the secret has already been provisioned for the test account. The extension returns the current token as a string so it can be stored in a Virtuoso variable and used in the next login step.

Parameters:

  • secret required, the authenticator shared secret string used to generate the OTP token. This is the value commonly called otpKey in test data or Key URI provisioning flows. The source code expects the input name secret, so configure the extension input with this exact name.

Note: Store the authenticator secret as an environment sensitive variable where possible. The token is time-based and short-lived, so generate it immediately before the step that enters or submits the OTP.

How to apply this to your journey

Use the extension in a journey by calling OTP_Authenticator with the execute command. Pass the authenticator secret to the extension input using as secret, then store the generated token in a variable such as $token.

Note: The code uses otplib.authenticator.generate(secret). If the extension input is created as otpKey instead of secret, the script will not receive the value expected by the source code. Keep the configured input name as secret and pass your $otpKey variable into that input.

execute "OTP_Authenticator" using "lojbhofkt6rzchu7jt25hy62s7vunuu5l5dtwy5pbqrsevft366us5xu" as secret returning $token
OTP_Authenticator("lojbhofkt6rzchu7jt25hy62s7vunuu5l5dtwy5pbqrsevft366us5xu") returning $token

You can also store the secret in a variable first. For sensitive login flows, prefer using an environment sensitive variable and pass that variable into the secret input.

execute "OTP_Authenticator" using "$otpKey" as secret returning $token
store value "lojbhofkt6rzchu7jt25hy62s7vunuu5l5dtwy5pbqrsevft366us5xu" in $otpKey
execute "OTP_Authenticator" using "$otpKey" as secret returning $token
write $token in field "One-time password"
click on "Verify"

Example output:

123456

This extension requires the following resources:

The extension should be configured as:

  • Run asynchronously: No
  • Scope: Global

Limitation: This extension depends on the configured @otplib/preset-browser resources being loaded successfully and on the otplib browser global being available when the Virtuoso step runs. Network restrictions, content security policy, proxy rules, or blocked access to unpkg.com can prevent token generation. The source code expects the input variable name secret; if the extension is configured with only otpKey, secret will be undefined and the step will fail. The generated value is based on the execution environment time and the authenticator configuration used by the application under test, so clock skew, token expiry, a different time step, digit count, encoding, or hash algorithm can cause the application to reject the token. By default the source uses SHA-1; if SHA-256 or SHA-512 is required, the code must be edited and the journey should use an extension name that clearly identifies the algorithm. Treat the authenticator secret as sensitive test data and avoid printing it in logs or non-sensitive variables. Cross-browser note: This extension does not intentionally inspect or mutate the page DOM, but it does run in the browser or device context selected for the journey and relies on external browser scripts. Validate it in each browser/device configuration used by your plan, especially where resource loading, browser cryptography support, network policy, or remote-grid behavior differs from the default execution environment.

Add the extension to your Virtuoso instance

Select the domain that matches your Virtuoso account.

Add extension to Virtuoso - https://app.virtuoso.qa/ Add extension to Virtuoso Free Trial - https://app2.virtuoso.qa/
Add extension to Virtuoso US - https://app-us.virtuoso.qa/ Add extension to Virtuoso UK - https://app-uk.virtuoso.qa/
View source

Last updated: 06/06/2024

Resources:

// Last updated: 06/06/2024, 13:40:20 UTC
// Resources:
//   https://unpkg.com/@otplib/preset-browser@^12.0.0/buffer.js
//   https://unpkg.com/@otplib/preset-browser@^12.0.0/index.js

// By default this extension uses sha1 as algorithm, if the authenticator needs a different hash uncomment one of the groups below:

// - for sha256
/*
otplib.authenticator.options = {
  algorithm: "sha256"
}
*/

// - for sha512
/*
otplib.authenticator.options = {
  algorithm: "sha512"
}
*/

return otplib.authenticator.generate(secret)

Comments

0 comments

Please sign in to leave a comment.