Automations involving Duo 2 factor authentication

A huge number of processes that we will want to automate involve getting to a page or system through 2 factor authentication. We authenticate first with a simple username and password screen, and then verify that with a Duo app, most often on the user’s cell phone, which is where I’m getting stuck. I understand how to get a robot to open a browser and navigate to a URL, and then go through the first step of the authentication with a username and password, but then in many cases, that step will lead to the Duo app on the user’s cell phone requesting that the user click “Approve” or “Deny”. Once the person approves the action, the browser will reroute to the requested URL. I’m having trouble visualizing how the robot will handle waiting for the person to Approve the request - since the URL would be in the “open browser” step, I’m unclear on how to tell the robot that the browser has actually gotten to the page it was originally asked to open. A simple pause won’t work - the person could fumble with their phone, or have to go find it in order to approve the request, or any number of things which will take up time. Has anybody done an automation using a Duo app before?

1 Like

I am assuming that as soon as user click on ‘Approve’ from the Duo App the browser in the web directly navigate to some home page without need of any further action from the user.

Not sure if this could be a right approach but you can use a ‘Find Element’ activity with higher TimeoutMS property value. This activity should indicate an element that appears in your home page when user click on ‘Approve’ button in the Duo app. Keeping the higher value for the timeout will let the robot wait until that user click on ‘Approve’ manually and the webpage navigates to the homepage with that element visible.

Let me know if that helps.

Rammohan B.

Thanks! I think this might just do it!


Great Question, Meredith! This is precisely the same situation that I find myself in. i.e. wanting to scrape data from financial or health care related sites for which 2-factor authentication has been enabled. Did the “time out” solution work for you? This seems to be hit or miss … as users receive a Duo request and yet they know that “they” aren’t requesting to access the target web site (because the robot, which is running on their behave, is the agent which triggered the Duo request).

There are countless scenarios where this approach will not work simply because the user isn’t near their cell phone or preoccupied with something else (e.g. phone in silence mode, sleeping, in dentist chair, etc. etc). Given all these potential points of failure … did you come up with a more consistent approach for working around the 2-factor authentication problem?

1 Like