Authentication & Credentials

​

Why Add Credentials

Credentials let assessments access authenticated areas that are not visible to public crawling. Credentials and login instructions are used together:

• credentials provide what to enter
• login instructions provide where and how agents should log in

​

Credential Types

MindFort supports multiple credential types. Each targets a different authentication flow your application may use.

​

Application Login

Standard username and password authentication. Setup:

1. Open Target Inventory and select a target.
2. Click Add Credential and choose App Login.
3. Enter the username and password for the test account.
4. Select the appropriate role and save.

​

Authenticator 2FA

Username and password authentication with a TOTP-based second factor. MindFort generates time-based codes automatically during assessments using the secret you provide. The TOTP secret is the base32-encoded string shown when you set up an authenticator app (e.g. JBSWY3DPEHPK3PXP). You can usually find this during the authenticator setup flow where a QR code is displayed — look for a “Can’t scan?” or “Manual entry” option to reveal the text secret. Setup:

1. Open Target Inventory and select a target.
2. Click Add Credential and choose 2FA.
3. Enter the username, password, and the base32 TOTP secret.
4. Select the appropriate role and save.

​

SMS MFA

Username and password authentication where the second factor is an SMS verification code. MindFort provisions a dedicated phone number and reads incoming codes during assessments. A phone number is provisioned automatically when the credential is created. You will see it in the credentials table once provisioning completes. Register this number as the MFA phone number on the target account. Setup:

1. Open Target Inventory and select a target.
2. Click Add Credential and choose SMS MFA.
3. Enter the username and password for the test account.
4. Select the country for the provisioned phone number.
5. Save the credential — a phone number will be provisioned.
6. Copy the provisioned phone number from the credentials table and register it as the MFA number on your target application’s account settings.
7. (Optional) If the target application sends a verification code to confirm the phone number during registration, click the message icon in the credentials table Actions column and press Check for Code to retrieve it. Enter the code in the target application to complete registration.

​

SMS Login

Phone-number-only authentication where a one-time code is sent via SMS instead of using a password. MindFort provisions a dedicated phone number and reads incoming codes during assessments. No username or password is needed. A phone number is provisioned automatically. Setup:

1. Open Target Inventory and select a target.
2. Click Add Credential and choose SMS Login.
3. Select the country for the provisioned phone number.
4. Save the credential — a phone number will be provisioned.
5. Copy the provisioned phone number from the credentials table and register it as a user on your target application.
6. (Optional) If the target application sends a verification code during account creation, click the message icon in the credentials table Actions column and press Check for Code to retrieve it. Enter the code in the target application to complete registration.

​

Email MFA

Username and password authentication where the second factor is sent to a dedicated email inbox. MindFort generates the email address during credential setup and uses it during assessments. Setup:

1. Open Target Inventory and select a target.
2. Click Add Credential and choose Email MFA.
3. Enter the username and password for the test account.
4. Generate the email address in the credential form.
5. Register that email address as the MFA email on the target account.
6. Save the credential.

​

API Key

API key credentials are available for API targets. Use them when the target authenticates requests with a bearer token, custom header, query parameter, JSON body field, or additional required fields. API targets require API auth instructions before API key credentials can be added. Define the validation route, request method, and success criteria in the target instructions first. Setup:

1. Open Target Inventory and select an API target.
2. Click Add Credential and choose API Key.
3. Enter the key or token.
4. Select where MindFort should place the credential: header, bearer token, query parameter, or JSON body field.
5. Add any extra static fields the API requires.
6. Save the credential.

​

SSO Redirect Flows

For applications that authenticate through an identity provider redirect flow, create a dedicated test account and document the full redirect flow in login instructions. Include:

• the application login URL
• the identity provider option to choose
• any tenant, workspace, or organization selector
• the expected post-login URL
• whether MFA is required for the test account

If the SSO flow requires an email, phone, or authenticator second factor, configure the matching credential type and include the SSO steps in login instructions.

​

Authentication Coverage Matrix

​

Credential Guidelines

• Use dedicated test accounts — avoid personal or production admin accounts.
• Keep account access scoped to what you want tested.
• Prefer least-privilege roles that still exercise the features you want assessed.
• Create separate credentials for materially different roles, such as user and admin.
• Create at least two distinct stored credentials when you want to use assessment dual credential mode for access-control boundary testing.
• Rotate credentials regularly.
• For SMS credential types, contact support if the option is not available for your organization.

​

Related Setup

After adding credentials, add clear login instructions so agents can sign in to your target reliably: Writing Login Instructions