Creating Custom Multi-Factor Authentication Client with Azure Functions

I used to do a quite a bit of availability testing in past, but never got to test how virtual login flows would work with transient (non-persistent) one time passwords.

It wasn’t until recently I got assignment to do something that monitors MFA system. During the assignment I stumbled on something called PyOTP, which pairs quite well with Azure functions. After the assignment was over I decided to write this blog to share some details:

This blog covers creation of MFA client using Azure Functions and PYOTP.  If you’re interested how One-Time-Passwords do work, then check the RFC’s below for in depth information:

Disclaimer: The information in this weblog is provided “AS IS” with no warranties and confers no rights.

How does it work?


  1. Azure Subscription with possibility of creating Azure Functions
  2. Your MFA implementation is compatible with RFC4226 and RFC6238
    • Examples Microsoft MFA, RCdevs OpenOTP and many others

Azure Functions

  • Create New Azure Function (consumption plan will suffice)
  • Locate platform features, and select Advanced Tools (Kudu)
Platform features
  • Update Python version to 3.5.2 using guide Azure Functions Python
    • I opted to install ’python-3.5.2-embed-win32’
      • Bit earlier or later versions, I suppose do work just as well
    • Drag & Drop the correct packet to d:\home\site\tools (It will unzip automatically)


This part covers installation of PyOTP, which is a Python library for generating and verifying one-time passwords. /Read more @ https://github.com/pyotp/pyotp 

  • Install PYOTP with Powershell, or CMD console in KUDU

Python -m pip install pyotp --target=d:\home\site\tools

installing PyOTP

Fetch the key from your MFA solution;

In the example I use Microsoft MFA

  •  Use the URL MFA Enroll
    • Select ’Configure app with notifications’ and take note of the ’Secret Key’

Kuvaesitys vaatii JavaScriptin.

  • Create Python HTTP trigger
    • Remember to toggle ’Experimental Language Support = Enabled’
Create new HTTP Trigger
  • Test the function with the ”MFA key” fetched from MFA, and inserted into the code.
    • In production code you might not want to have the secret key in plaintext, for this prototype I opted for the low hanging fruit :)…
import os
import json
import platform
print("Python == ", platform.python_version())
import pyotp
totp = pyotp.TOTP('YourMFAKeyHere')
s = totp.now()

response = open(os.environ['res'], 'w')
  • Output should now display the OTP in the response
Function editor
Call example

Consuming OTP’s

  • Choose your coding /scripting language and just add simple REST call to it:
    • Get the key to call the function from ’Get function URL’, and implement it to the part of the code where you fetch the OTP, and deliver it for the verification

      URI for the function
    • if possible, limit the call to only certain range of IP’s (this is not required for this thing to work, but its something you might want to consider)

Below is the snippet of that part where the OTP is delivered to the login form:

  • PowerShell is just too easy, and keeps my from learning new languages :)… so I opted for it (once again) to create the prototype:
$OTP=Invoke-RestMethod -UseBasicParsing -Uri "APIURIHERE" -Method Post
$keys = $OTP -split "" | where {$_ -ne ""}
[Microsoft.VisualBasic.Interaction]::AppActivate($ieProc.Id);Start-Sleep -Seconds 1

foreach ($key in $keys)
Start-Sleep -Milliseconds 20


Hope this helps somebody 🙂 – I for sure had a blast doing it!



0 comments on “Creating Custom Multi-Factor Authentication Client with Azure Functions


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:


Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: