# Handling Two-Factor Authentication (TOTP)

Aikido's AI agent can generate valid Time-based One-Time Passwords (TOTP) to bypass 2FA screens during authenticated scanning.

**Use this feature if your application requires:**

* **Authenticator Apps:** The login flow asks for a 6-digit code from Google Authenticator, Authy, 1Password, etc.

{% hint style="info" %}
If your app sends codes via Email, use the [Email Verification feature](https://help.aikido.dev/pentests/configure-a-pentest/setting-up-authenticated-testing/handling-email-verification-and-magic-links).

If your app uses SMS codes, use [SMS Verification](https://help.aikido.dev/pentests/configure-a-pentest/setting-up-authenticated-testing/handling-sms-verification).
{% endhint %}

### How it works

Instead of scanning a QR code with your phone, you extract the raw **Secret Key** (or `otpauth://` URI) from your application and paste it into Aikido. The agent uses this secret to mathematically generate valid codes on the fly during the scan.

### Setup Guide

{% stepper %}
{% step %}

#### Locate the Secret Key

Go to the 2FA setup screen in your target application (where you would normally scan the QR code).

1. Look for a text link that says **"Can't scan the QR code?"**, **"Trouble scanning?"**, or **"View Setup Key"**.
2. Click it to reveal the raw text code (the Secret Key).
3. Copy this string (e.g., `4IKIDOI5AW35OME`).

<div data-with-frame="true"><figure><img src="https://3149773201-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyKbzcQGrx7UtrG0nPZZ7%2Fuploads%2FO8FdOgZh2DkJGurrHKlX%2FScreenshot%202025-12-11%20at%2011.17.30.png?alt=media&#x26;token=5ca361f5-efad-4b79-a12e-6442411e117f" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### Configure Aikido

In the Aikido **Authentication Set** modal:

1. Scroll to the **TOTP Setup** section.
2. Paste the Secret Key (or the full `otpauth://` URI) into the input field.
3. The system will validate the format immediately.

<div data-with-frame="true"><figure><img src="https://3149773201-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyKbzcQGrx7UtrG0nPZZ7%2Fuploads%2F5RPiqetcCs7J57K4inBW%2FScreenshot%202025-12-11%20at%2011.21.54.png?alt=media&#x26;token=94c7dfbe-fe01-4c17-af8f-dfd93efe9e6f" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### Update Login Logic

You must explicitly tell the agent when to enter the code.

**Example Instruction:**

```
1. Navigate to https://app.example.com/login
2. Enter username: admin
3. Enter password: abc123
4. Click "Log In"
5. When the 2FA screen appears, generate a TOTP code and enter it into the verification field.
6. Click "Verify"
```

{% endstep %}

{% step %}

#### Test the Configuration

Verify that the agent can generate and input the code correctly:

1. Click **Save & Test**.
2. The agent will launch a browser session.
3. Watch the playback logs to ensure the agent successfully bypassed the 2FA prompt and reached the dashboard.

<div data-with-frame="true"><figure><img src="https://3149773201-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyKbzcQGrx7UtrG0nPZZ7%2Fuploads%2FauxuucOxksQiWZm4dFJN%2Fimage.png?alt=media&#x26;token=67e30f25-989b-4dc9-ae46-a5ee01e5204c" alt=""><figcaption></figcaption></figure></div>
{% endstep %}
{% endstepper %}