How to securely automate TOTP MFA in CI/CD without exposing credentials?

by

Summary

The goal of this article is to discuss how to securely automate Time-Based One-Time Password (TOTP) Multi-Factor Authentication (MFA) in CI/CD pipelines without exposing credentials. We will explore the challenges of automating TOTP MFA, including secret injection, state management, and bypassing MFA.

Root Cause

The root cause of the problem is the need to automate TOTP MFA in a CI/CD pipeline while keeping credentials and secret keys secure. The main challenges are:

  • Storing and injecting secret keys into the CI/CD pipeline
  • Managing authentication state in a headless browser environment
  • Avoiding rate-limiting and suspicious login flags

Why This Happens in Real Systems

This problem occurs in real systems because CI/CD pipelines often run in headless environments, which can cause issues with TOTP timing and authentication state management. Additionally, hardcoding secrets or storing them in plain text is a significant security risk.

Real-World Impact

The real-world impact of this problem includes:

  • Security risks associated with exposing credentials and secret keys
  • Rate-limiting and suspicious login flags that can block legitimate test runs
  • Increased maintenance costs due to the need to constantly update and manage authentication state

Example or Code

const otpauth = require('otpauth');

function generateTOTP() {
  const secretKey = process.env.M365_OTP_SECRET;
  const totp = new otpauth.TOTP({
    secret: secretKey,
    digits: 6,
  });
  return totp.generate();
}

How Senior Engineers Fix It

Senior engineers fix this problem by:

  • Using environment variables to store and inject secret keys into the CI/CD pipeline
  • Implementing secure state management practices, such as storing authentication state in a secure artifact repository
  • Bypassing MFA for specific CI IP ranges or using test-only backdoors to avoid rate-limiting and suspicious login flags

Why Juniors Miss It

Junior engineers may miss this problem because they:

  • Lack experience with CI/CD pipelines and headless browser environments
  • Are not familiar with secure coding practices, such as using environment variables to store secret keys
  • Do not fully understand the security risks associated with exposing credentials and hardcoding secrets