Frequently asked questions when setting up Multi-Factor Authentication (MFA) on Citrix properties

How will MFA impact me if I use automation to log in to sites (e.g. to automatically download updates from https://www.citrix.com/downloads/)?

You will need to update your automation mechanism to account for MFA. The automation will need to be able to generate Time-based One-Time Password (TOTP) codes.

You will need to know your MFA secret, or secret key. If you do not know your secret, refer to the questions in the FAQ below.

What updates will I need to make to my automation mechanism?

The updates required will depend on the language and type of mechanism used. Below are some examples of libraries that can be used to generate TOTP codes:

  • C#

Library: TwoStepsAuthenticator

Link: https://github.com/glacasa/TwoStepsAuthenticator

TOTP code Example:

var secret = user.secretAuthToken;

var authenticator = new TwoStepsAuthenticator.TimeAuthenticator();

var code = authenticator.GetCode(secret);

Code Sample:

Download: CitrixMfaAuthenticationAutomation.zip (see download above)

Nugut Packages:

  • DotNetSeleniumExtras.WaitHelpers
  • Selenium.WebDriver
  • Selenium.WebDriver.ChromeDriver
  • TwoStepsAuthenticator
  • Python
Library: Pythoauth

GitHub Source Code: https://github.com/pyauth/pyotp

PyOTP Site: https://pyauth.github.io/pyotp/

TOTP code Example:

totp = pyotp.TOTP(‘base32secret3232’)

totp.now() # => ‘492039’

Code Sample:

Download: citrix_authentication_automation.py (see download above)

Python Packages:

  • pyotp
  • Selenium
  • JavaScript
Library: OTPLib

GitHub: https://github.com/yeojz/otplib

NPM: https://www.npmjs.com/package/otplib

TOTP code Example:

import { authenticator } from ‘otplib’;

const secret = ‘mfaSecret’;

const token = authenticator.generate(secret);

Code Sample:

Download: citrix_authentication_automation.zip (see download above)

Uses NodeJS. Requires the packages:

  • selenium-webdriver
  • otplib

Please note that the software/automation mechanisms above are not provided by Citrix and Citrix offers no related warranties.


How do I view the MFA secret key for my account?

You can view the MFA secret (Key field) when setting up a Citrix account as shown below:

C:8a4d4ef08641c9ae33f1c07429619924

What if I do not know the MFA secret key for my account?

If the secret is not known or cannot be viewed in the existing authenticator, you will need to re-enroll in MFA. You will also need to update any devices applicable to use the new secret.

You can follow the steps below to re-enroll in MFA and generate the secret:

  1. Authenticate with Citrix Cloud (https://citrix.cloud.com) or My Citrix (https://citrix.com)

  2. Navigate to https://accounts.citrix.com/core/profile

  3. Under the Login Security section, click Change Device

  4. Click Yes, Change device

  5. Enter the MFA TOTP code

  6. You will be presented with the below device registration screen. Save the key highlighted in red below, register a new MFA device, and enter the new TOTP code.

  7. Click Verify code to complete device registration and link the new MFA secret to the account.

    C:8a4d4ef08641c9ae33f1c07429619924

What if I use CSS Selectors for automation?

You can use the following details to update your automation mechanism:

  • Username and Password Registration

C:1bd17521b504404d669ff9591242c9a7

# What CSS Selector types CSS Selector
1 Username ID #username
2 Password ID #password
3 Submit Button ID #submit

  • MFA Device Registration

C:78fd9f3946a7cc21bca07dbc584a0cb9

C:9b7e94b5fd9f0e9a684557dd416e9d7d

# What CSS Selector Type CSS Selector
1 Initial Button to Enroll in MFA XPath button[contains(@class, “btn-default”)]
2 Textbox to enter email ID #account-verification-email-input
3 Button to send Verification Email ID #account-verification-resend
4 Textbox to enter the code ID #account-verification-code-input
5 Textbox to enter the password ID #account-verification-password-input
6 Button to verify the code and password ID #account-verification-submit

C:5f2bff1100c393a1ebbb060e83742cf6

# CSS Selector CSS Selector Type Value
1 Field containing the MFA secret Class app-verification__qr-container__block__key
2 Textbox to enter the OTP code ID app-verification-code-input
3 Button to Verify new OTP code Class .app-verification__button

  • Recovery Screen

C:b5c04a83438a72bd934ac4943987dfa6

C:af6c14f9cfa5fd6cecb748bf0cbd37ec

C:fab5bda949ca43e9e7c6f5460cf6dc21

C:114fae60ebf4e1b988b690f02da4e48

# CSS Selector CSS Selector Type Value
1 Link to show the recovery phone popup XPath //a[contains(text(), “recovery phone”)]
2 Recovery phone number textbox XPath //input[@placeholder=”Enter phone number”]
3 Verify recovery phone number textbox XPath //input[@placeholder=”Verify phone number”]
4 Button to submit the recovery phone XPath //button[contains(@class, “recoveryphone__form__submit”)]
5 Link to show the backup codes XPath //a[contains(text(), “backup codes”)]
6 Div containing backup codes. Each code is stored in a div XPath //div[@class=”codes__backup-codes__codes”]/div
7 Consent Checkbox for the backup codes ID #checkbox
8 Complete Creating Backup codes XPath //button[@type=”submit”]
9 Link for the Recovery Prompt XPath //a[contains(text(), “recovery email”)]
10 Text box for email XPath //input[@placeholder=”Enter recovery email”]
11 Button to send the Verification Email XPath //form[@class=”recoveryemail__form”]//button[text()=”Send verification email”]
12 Text box to enter the verification code XPath //form[@class=”recoveryemail__form”]//input[@class=”recoveryemail__form__input”][@placeholder=”Enter 6-digit verification code”]
13 Button to submit the verification code XPath //form[@class=”recoveryemail__form”]//button[text()=”Verify code”]
14 Button to complete Enrollment XPath //button[@type=”button” and contains(@class, “recoverymethods__submit”)]

  • MFA TOTP Code

C:8df2f083f3ba702315985a543cbc8db5

# What CSS Selector Type CSS Selector Notes
1 Text boxes to enter the OTP code Class .ctx-input-digits Will return an array of 6 elements in order
2 Submit Button XPath [class$=login__button]
3 Link to alternative MFA options Class .primary-code-login__link

Where can I learn more about this change?

Related:

  • No Related Posts

Leave a Reply