Changelog NotificationsAPIAikido login

Providing credentials

Most critical vulnerabilities—IDORs, privilege escalations, logic bugs—live behind your login screen. To find them, Aikido’s AI Pentest agent needs access.

Unlike legacy tools that require complex Selenium scripts or proxy recordings, Aikido uses an LLM-driven approach. You simply tell the agent how to log in using natural language, just like you would explain it to a human QA tester.

Here is how to configure your authentication sets.

1. Create an Authentication Set

In the scan configuration or settings menu:

  1. Click Add Authentication Set.

  2. Name: Give this set a descriptive name (e.g., Admin Credentials, Read-Only User, Tenant A - Manager).

We recommend setting up multiple personas to test for Broken Access Control (BAC) between different privilege levels.

2. Provide Login Instructions

This is the most important step. In the Authentication instructions field, provide a step-by-step text description of your login flow.

The AI agent parses this to navigate your specific UI quirks. Be explicit.

Example format:

Navigate to staging.app.com/login

Click on "Log in with Username"

Enter username: pentest_admin

Enter password: super_secure_password_123

Click the "Sign In" button

If your app uses SSO (Google/Microsoft/...), provide credentials for a native account if possible, or ensure the SSO flow is explicitly described in the steps and the SSO domain is allowed in the scan settings.

The AI agent is equipped to solve standard Captchas automatically. You do not need to disable these for the scan or provide specific instructions for them.

3. Handle 2FA (MFA)

If your staging environment enforces 2FA, or you simply want to include it in the pentest. Aikido supports TOTP (Time-based One-Time Password) generation.

  1. In your application's security settings, generate a new TOTP setup key (the secret usually provided alongside a QR code).

  2. Paste the OTPAuth URI into the 2FA field in Aikido.

Magic Links & Email Verification (Beta)

Support for authentication flows that require email access (e.g., clicking a magic link or retrieving an email verification code) is currently in beta and not enabled by default.

If your application relies on this method, please reach out on Intercom to have this feature enabled for your workspace.

Best Practices

  • Don’t use Production Credentials: Always run pentests on a Staging or QA environment. The scanner performs intrusive tests that can corrupt data.

  • Create Dedicated Test Accounts: Do not use personal developer accounts. Create specific accounts for the scanner (e.g., [email protected]).

  • Cover All Tenants: If your app is multi-tenant, add credentials for users in different tenants (e.g., User - Tenant A, User - Tenant B). This allows the AI to test for cross-tenant data leakage.

Troubleshooting

Authentication is verified during the preflight check immediately after launch. You can watch the agent's screen in real-time to see if it succeeds.

If the agent fails to log in:

  • You won't be charged: We do not deduct credits for failed authentication preflights. You can adjust your settings and retry immediately.

  • Inspect the failure: Check the agent's screenshots in the error log to see exactly where it got stuck.

  • Sanity check steps: Walk through your provided instructions manually in an incognito window. If you skipped a step or a button is unclear, the agent might struggle.

  • Check accessibility: Is the URL reachable from the public internet? (Check your IP whitelisting).

  • Account status: Ensure the test user hasn't been locked out.

Last updated

Was this helpful?