### Problem to solve Customers have enabled MFA on their applications. Because DAST does not support MFA, customers must disable MFA on their test applications. Many customers do not want to do this because they want their test application to be an apples to apples comparison with their production application. Additionally, security teams do not like telling their developers to remove a security control in order to test for security flaws. ### [FY26 Roadmap Item](https://docs.google.com/presentation/d/1ABoGLJkQZNs3Y92NELNrRvjsbo_PNEjGMyCRVz2sU2A/edit#slide=id.g3321f028e83_21_52) | Roadmap Issue | Deliverable | Status | | ------------- | ----------- | ------ | | https://gitlab.com/gitlab-org/gitlab/-/issues/523483+s | ~Deliverable | | | https://gitlab.com/gitlab-org/gitlab/-/issues/523484+s | ~Deliverable | | | https://gitlab.com/gitlab-org/gitlab/-/issues/523487+s | ~Deliverable | | | https://gitlab.com/gitlab-org/gitlab/-/issues/523488+s | ~Deliverable | | ### Proposal Perform the minimal amount of work with an eye towards [the authentication scripts work coming.](https://gitlab.com/gitlab-org/gitlab/-/issues/508553) ### Assumptions * Support static and the Google Authenticator flavor of TOTP * No support for `_SCRIPT` or optional TOTP variables (will use their default values) * `DAST_AUTH_OTP_SUBMIT_FIELD` is required, which assumes that the OTP field is presented after the password is submitted. ### General Procedure 1. The scanner determines what OTP value to use. * If `DAST_AUTH_OTP_STATIC` is populated, that value is used. * If `DAST_AUTH_OTP_KEY` is populated, the OTP value is calculated using the Google Authenticator flavor of TOTP. 2. The scanner populates the OTP value into `DAST_AUTH_OTP_FIELD` in the form that is presented after the password is submitted. Waiting for the new form to appear follows the same logic as waiting for the password form after the username is submitted in a multi-step login. If the field cannot be found or populated, auth fails. ### Variables * `DAST_AUTH_OTP_FIELD` * `DAST_AUTH_OTP_KEY` * `DAST_AUTH_OTP_STATIC` * `DAST_AUTH_OTP_SUBMIT_FIELD` `DAST_AUTH_OTP_STATIC` is mutually exclusive with `DAST_AUTH_OTP_KEY`. If either one is set, `DAST_AUTH_OTP_FIELD` and `DAST_AUTH_OTP_SUBMIT_FIELD` are required.