Enable passing MFA TOTP without opening the browser #2752
Replies: 1 comment 2 replies
-
|
I'm not sure how that would work. The OTP check happens as part of the browser login flow. That login page is hooked to your org, which is where all the 2FA/SSO/policies/session stuff is controlled. AFAIK, there's not an authorization endpoint that the CLI can pass an OTP to. Let me know what endpoint you have in mind for this. |
Beta Was this translation helpful? Give feedback.
-
|
I couldn't find one :/ I just thought thar if aws did it, maybe sf could do it as well for accounts that enforce MFA. The good news is that I still believe there is chance for automating the flow using this browser api: https://developer.chrome.com/docs/capabilities/serial Obs: Firefox and Safari probably have this feature as well. But I did not confirm. There would have to exist an etension to automatically fetch the TOTP from the device whenever a login flow which requires MFA starts.
|
Beta Was this translation helpful? Give feedback.
-
|
I'm almost finishing the implementation of the above solution. I just need to write a basic chrome extension, and then it will be done. |
Beta Was this translation helpful? Give feedback.
-
aws cli allows login with iam users with MFA enabled without opening a browser. We can simply type:
Other clis have the same feature.
If sf cli enables it, I can automate sf to request a TOTP from my esp32 mfa totp generator instead of manually typing it.
https://github.com/AllanOricil/esp32-mfa-totp-generator
Flow:
sfdx -> node-red -> esp32 -> sfdx -> salesforce -> successful login
you can change esp32 by any other external virtual mfa app running on any device. Node-red is just a layer to protect which clients are authorized to access the device that takes care of generating TOTPs. In the future it could also work as a passkey storage. Sfdx would ask the device for the passkey, not requiring any user interactions during programatically logins.
Beta Was this translation helpful? Give feedback.
All reactions