AWS Security ChangesHomeSearch

AWS securityagent documentation change

Service: securityagent · 2026-03-16 · Documentation medium

File: securityagent/latest/userguide/provide-testing-credentials.md

Summary

Added documentation for TOTP-based 2FA support in credential configuration

Security assessment

The changes introduce documentation for configuring TOTP-based two-factor authentication as a security feature, but there is no evidence of addressing a specific existing vulnerability or security incident. The update enhances security documentation by expanding supported authentication methods.

Diff

diff --git a/securityagent/latest/userguide/provide-testing-credentials.md b/securityagent/latest/userguide/provide-testing-credentials.md
index 5c2cc8bd0..c73ac473f 100644
--- a//securityagent/latest/userguide/provide-testing-credentials.md
+++ b//securityagent/latest/userguide/provide-testing-credentials.md
@@ -45 +45,9 @@ If you select **Advanced setting** , you can choose from three credential strate
-  4. (Optional) Expand **Agent Space login prompt** to provide specific login instructions if your application has a complex authentication flow.
+  4. (Optional) In the **2FA - optional** field, provide a TOTP secret for applications that require two-factor authentication. You can either:
+
+     * Enter the TOTP secret directly (for example, `JBSWY3DPEHPK3PXP`), or enter the full `otpauth://totp/` URI (for example, `otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example`).
+
+     * Click the upload icon to upload a QR code image from your authenticator app setup page. The QR code is scanned locally and the TOTP URI is extracted automatically.
+
+When a TOTP secret is provided, the agent automatically generates fresh one-time codes and enters them when a 2FA prompt is detected during login.
+
+  5. (Optional) Expand **Agent Space login prompt** to provide specific login instructions if your application has a complex authentication flow.
@@ -75 +83 @@ Use the **Agent Space login prompt** to provide detailed instructions on how to
-For example, if the agent is to submit a username/password login form at https://example.com/login, you may format your secret as JSON with `username` and `password` fields:
+For example, if the agent is to submit a username/password login form at https://example.com/login, you may format your secret as JSON with `username` and `password` fields. If the application requires TOTP-based 2FA, include a `totpSecret` field with either the TOTP secret directly or a full `otpauth://totp/` URI:
@@ -80 +88,2 @@ For example, if the agent is to submit a username/password login form at https:/
-      "password": "secure-password-here"
+      "password": "secure-password-here",
+      "totpSecret": "JBSWY3DPEHPK3PXP"
@@ -83 +92 @@ For example, if the agent is to submit a username/password login form at https:/
-Then, configure the authentication instructions: . Enable **This credential requires interactive login (form submission)**. . Set **Access URL** to `https://example.com` (or any other URL selected from the list of target endpoints). . Enter the following into **Agent Space login prompt** : "Navigate to https://example.com/login and enter the provided username and password into the form."
+Then, configure the authentication instructions: . Set **Access URL** to `https://example.com` (or any other URL selected from the list of target endpoints). . Enter the following into **Agent Space login prompt** : "Navigate to https://example.com/login and enter the provided username and password into the form."
@@ -90 +99 @@ As another example, if you instead have an API key to be provided in an HTTP hea
-Then, configure the authentication instructions: . Disable **This credential requires interactive login (form submission)**. . Enter the following into **Agent Space login prompt** : "Set the X-API-Key header to the provided API key for all requests."
+Then, configure the authentication instructions: . Enter the following into **Agent Space login prompt** : "Set the X-API-Key header to the provided API key for all requests."
@@ -94 +103 @@ Then, configure the authentication instructions: . Disable **This credential req
-We currently do not support 2FA or OAuth-based authentication.
+Only TOTP-based 2FA is supported. SMS, email, push notifications, hardware keys, and OAuth authentication are not supported.