InsightAppSec: Time-based One-Time Passwords, MFA Automation Using Macros
Rapid7, Thursday, September 4th, 2025
Automated security scanners can be stopped in their tracks by Multi-Factor Authentication (MFA). While this is great for security, it poses a challenge for scanning. Luckily, Rapid7's InsightAppSec makes it easy to handle Time-based One-Time Passwords (TOTP), a six-digit code that refreshes every 30 seconds.
This guide will walk you through the entire process of configuring an InsightAppSec scan to bypass TOTP MFA, using the challenge site authenticationtest.com as our example.
Step 1: Extract the TOTP secret key
Before you can do anything else, you need the secret key that the application uses to generate its one-time passwords. This secret is embedded in the QR code...