Many of the applications you need to test are protected by two-factor authentication. Until now, that meant extra steps or workarounds to run authenticated scans.
Not anymore. RedVeil now supports optional 2FA for browser-based login flows, so you can test MFA-protected apps just as easily as everything else.
What you can do now
- Test apps with 2FA enabled — RedVeil handles one-time code entry automatically during login.
- Use your existing TOTP secret — Paste your authenticator app's secret key, and RedVeil generates fresh codes as needed.
- Or provide a one-time code directly — For SMS, email, or other OTP flows, you can supply the current code when starting a test.
- Keep secrets safe — The 2FA secret field is now masked in the scan settings UI, just like passwords.
How to use it
- Go to your scan settings and select HTML Form Login as the authentication method.
- Enter your username and password as usual.
- Optionally add your TOTP / 2FA Secret (the base32 key or
otpauth://URL from your authenticator app). - Start your scan — RedVeil will handle the 2FA prompt automatically.
That's it. No browser extensions, no manual intervention, no disabling MFA on test accounts.
Why this matters
- Test what you actually ship — Stop maintaining separate non-MFA test accounts.
- More realistic coverage — Authenticated scans now work against production-like auth flows.
- Less manual setup — One configuration, and RedVeil handles the rest.
Questions?
If you have questions about setting up 2FA for your scans, reach out to our team or ask Rune, your AI pentest consultant, directly in the app.