Multi-TOTP Authenticator

This extension manages multiple time-based one-time passwords (TOTPs) simultaneously, enabling security testing of applications that protect different endpoints or accounts with separate multi-factor authentication tokens. Each TOTP can be configured independently and automatically inserted into requests based on customizable match patterns.

Features

• Manage unlimited TOTP tokens within a single project, each with independent configuration and match patterns
• Automatically refreshed codes displayed in a dedicated tab with visual countdown timers for each token
• Individual enable/disable controls for each TOTP to activate only the tokens needed for current testing
• Automatic insertion of TOTPs into requests using configurable match strings or regular expressions per token
• QR code scanning support for adding TOTPs without manual secret entry
• Integration with Scanner for authenticated crawling of sites requiring two-factor authentication across multiple accounts
• Session handling rule support for precise scope control over TOTP replacement
• Customizable TOTP parameters per token including duration, code length, and hashing algorithm (SHA-1, SHA-256, SHA-512)
• Context menu integration for selecting which token to insert into message editors
• Project file persistence for all TOTP configurations across sessions

Usage

1. Navigate to the TOTP tab and add a code by entering a name, Base 32-encoded secret, and optional parameters (duration, code length, algorithm), or use the Scan QR or Paste QR buttons to populate fields automatically from a QR code
2. Configure the match string that will be replaced with the TOTP code in requests, optionally enabling regular expression matching in the extension settings under Extensions → TOTP
3. Set your scope by clicking the scope configuration button to define which tools and URLs should have TOTP replacement enabled
4. Enable the "Replace in requests?" checkbox for the TOTP to activate automatic replacement
5. Use the extension with Scanner by recording a login sequence, editing the TOTP input event to use your configured placeholder, and verifying replacement in the Logger tab
6. Alternatively, use session handling rules by adding "Invoke a Burp extension" → "Insert TOTP into request" to gain fine-grained control over when replacement occurs
7. Manually insert current codes or placeholders into any message editor by right-clicking and selecting Extensions → TOTP → Insert code or Insert placeholder