GetMyMFA
<- Go Back

Using webhooks to industrialize MFA Testing

Jonathan Bernales
Jonathan Bernales
Founder

Multi-Factor Authentication (MFA) is essential for securing online applications, providing an additional security layer to user accounts by requiring multiple verification methods. As cyber threats become increasingly sophisticated, MFA adoption is rapidly growing, particularly in regulated industries such as finance, healthcare, and insurance. However, testing MFA workflows introduces unique challenges for Quality Assurance (QA) teams, who must accurately replicate realistic production scenarios without compromising security or user experience.

In our previous blog posts, we covered the foundational principles of MFA implementation and the common challenges faced during automation testing. Platforms like GetMyMFA help automate receiving and managing MFA codes, significantly reducing the complexity associated with manual testing processes. In essence, they prove ideal for MFA Test Automation.

In this blog post we'll delve deeper into the collaborative aspects of MFA testing using webhooks and how such features allow you to work in an optimal way.

The Challenge of MFA Testing in a collaborative environment

Testing MFA workflows requires maintaining a delicate balance between realistic scenarios and practicality. Disabling MFA in testing environments might simplify initial testing but risks leaving critical issues undiscovered until production. These late-stage discoveries can have severe implications, including service disruptions, compromised security, and negatively impacted user experience. Hence, testing environments must closely replicate production conditions, including active MFA mechanisms.

Effective Use of Third-Party Services for MFA Testing

Third-party services significantly ease the complexity of MFA testing across different delivery methods:

  • Email-based MFA: One effective strategy involves using shared mailboxes or Google Groups. Such centralized systems allow multiple testers to simultaneously access emails containing MFA codes without individually forwarding them, reducing the risk of errors or duplicated efforts. These shared accounts can also leverage features like “Plus addressing” to create sub-accounts (e.g., test+user1@domain.com), simplifying the organization of test scenarios. If such features are not allowed by your IT department, GetMyMFA provides virtual emails allowing you to share MFA codes with your team members.
    • Google Group email sharing interface
  • SMS-based MFA: Sharing physical mobile devices equipped with multiple SIM cards is neither practical nor secure for testing purposes. Instead, virtual number services, like GetMyMFA, offer secure, web-based access to MFA SMS codes. These virtual numbers can be accessed via APIs or web interfaces, simplifying automation and providing a seamless, consistent setup mirroring the production environment.
    • GetMyMFA MFA Code sharing interface
  • TOTP-based MFA:Temporary One-Time Password (TOTP) codes require secure storage and distribution. Password managers such as Bitwarden or 1Password provide a secure environment to store and share TOTP keys, enabling testers to generate required MFA codes easily without compromising data security.
    • Bitwarden's OTP preview interface

Webhooks: Real-Time MFA Code Sharing

Webhooks have emerged as a practical solution for streamlining MFA testing by enabling real-time sharing of MFA codes among QA teams. A webhook is an automated communication mechanism triggered by specific events, sending instant notifications directly to collaboration platforms such as Slack, Microsoft Teams, or Google Workspace. Unlike traditional APIs, webhooks don't require constant polling for data; instead, they push information proactively the moment an MFA event occurs, significantly reducing delays and manual intervention.

Integrating webhooks with MFA management tools like GetMyMFA simplifies the process further. For instance, teams can configure webhooks to automatically forward MFA codes from emails or SMS directly into their preferred communication channels. This approach eliminates the need for manual checking and enhances overall team productivity, transparency, and test traceability. Here's what Slack and Teams channels look like for teams using webhooks:

Teams group interface showing MFA codesSlack channel interface showing MFA codes

Setting up your webhook configuration with GetMyMFA

Through its Enterprise plan, GetMyMFA offers a straightforward Webhook configuration interface allowing to simply connect to any third-party provider. You simply need to provide the URL to your Teams or Slack integration, and you are up and running:

MFA Email interface illustration

Shall you wish to send a webhook to a custom endpoint, you can even configure your HTTP Method as well as an authorization Header:

MFA Email interface illustration

Final thoughts

We've explored the critical aspects of MFA implementation, the challenges associated with testing secure authentication processes, and practical solutions for automating and enhancing MFA workflows. By leveraging platforms such as GetMyMFA, companies like yours can achieve robust MFA testing and ensure secure authentication mechanisms for both human users and automated robots.

For teams ready to elevate their MFA testing practices, GetMyMFA provides tailored, secure, and user-friendly solutions. We invite you to contact our team to explore how GetMyMFA can support your security objectives, streamline your workflows, and help your team excel in delivering secure and efficient authentication processes.

Ready to improve your security practices? 👉 Feel free to sign-up to a 7-day free trial (no credit card required).