I used to do a quite a bit of availability testing in past, but never got to test how virtual login flows would work with transient (non-persistent) one time passwords.

It wasn’t until recently I got assignment to do something that monitors MFA system. During the assignment I stumbled on something called PyOTP, which pairs quite well with Azure functions. After the assignment was over I decided to write this blog to share some details:

This blog covers creation of MFA client using Azure Functions and PYOTP.  If you’re interested how One-Time-Passwords do work, then check the RFC’s below for in depth information:

• RFC4226 and RFC6238

Disclaimer: The information in this weblog is provided “AS IS” with no warranties and confers no rights.

How does it work?

Prerequisites:

1. Azure Subscription with possibility of creating Azure Functions
2. Your MFA implementation is compatible with RFC4226 and RFC6238
   • Examples Microsoft MFA, RCdevs OpenOTP and many others

Azure Functions

• Create New Azure Function (consumption plan will suffice)
• Locate platform features, and select Advanced Tools (Kudu)

• Update Python version to 3.5.2 using guide Azure Functions Python
  • I opted to install ’python-3.5.2-embed-win32’
    • Bit earlier or later versions, I suppose do work just as well
  • Drag & Drop the correct packet to d:\home\site\tools (It will unzip automatically)

PYOTP

This part covers installation of PyOTP, which is a Python library for generating and verifying one-time passwords. /Read more @ https://github.com/pyotp/pyotp 

• Install PYOTP with Powershell, or CMD console in KUDU

Python -m pip install pyotp --target=d:\home\site\tools

Fetch the key from your MFA solution;

In the example I use Microsoft MFA

•  Use the URL MFA Enroll
  • Select ’Configure app with notifications’ and take note of the ’Secret Key’

Kuvaesitys vaatii JavaScriptin.

• Create Python HTTP trigger
  • Remember to toggle ’Experimental Language Support = Enabled’

• Test the function with the ”MFA key” fetched from MFA, and inserted into the code.
  • In production code you might not want to have the secret key in plaintext, for this prototype I opted for the low hanging fruit :)…

import os
import json
import platform
print("Python == ", platform.python_version())
import pyotp
totp = pyotp.TOTP('YourMFAKeyHere')
s = totp.now()
str(s)

response = open(os.environ['res'], 'w')
response.write(s)
response.close()

• Output should now display the OTP in the response

Consuming OTP’s

• Choose your coding /scripting language and just add simple REST call to it:
  • Get the key to call the function from ’Get function URL’, and implement it to the part of the code where you fetch the OTP, and deliver it for the verification

    

  • if possible, limit the call to only certain range of IP’s (this is not required for this thing to work, but its something you might want to consider)

Below is the snippet of that part where the OTP is delivered to the login form:

• PowerShell is just too easy, and keeps my from learning new languages :)… so I opted for it (once again) to create the prototype:

$OTP=Invoke-RestMethod -UseBasicParsing -Uri "APIURIHERE" -Method Post
$keys = $OTP -split "" | where {$_ -ne ""}
[Microsoft.VisualBasic.Interaction]::AppActivate($ieProc.Id);Start-Sleep -Seconds 1

foreach ($key in $keys)
{
Start-Sleep -Milliseconds 20
[System.Windows.Forms.SendKeys]::SendWait("{$key}");
}

 

Hope this helps somebody 🙂 – I for sure had a blast doing it!
Br,
Joosua