OTP and Step-Up Authentication
Overview
Some Britive profiles and secrets are configured to require step-up authentication — a one-time password (OTP) in addition to your standard login. This prevents access to sensitive resources even when your Britive session is already active.
What you’ll learn:
- How to view a secret that requires an OTP
- How to check out a profile that requires an OTP
Before You Begin
- PyBritive installed and authenticated — see Getting Started
- Microsoft Authenticator (or another TOTP app) enrolled for your Britive account
- At least one secret or profile configured with step-up authentication
Note: Profile and secret names in this tutorial are from the Britive demo tenant. Replace them with your own from
pybritive ls profilesandpybritive ls secrets.
Use OTP with PyBritive
View a secret that requires OTP
Without the --otp flag, PyBritive returns an error:
pybritive secret view "/Britive Team Secrets/LearningSiteSecretMFA"Error: Step Up Authentication required and no OTP provided.Open Microsoft Authenticator and get the current code for your Britive account. Pass it with the --otp flag:
pybritive secret view "/Britive Team Secrets/LearningSiteSecretMFA" --otp 123456Replace 123456 with the current code from your authenticator app. The secret value is returned immediately.
Tip: TOTP codes expire every 30 seconds. Run the command immediately after noting the code to avoid an expiry error.
Check out a profile that requires OTP
The --otp flag works the same way for checkout:
pybritive checkout "Britive Azure Tenant/Britive Azure Tenant/Subscription Owner - (Production)" --otp 123456You can combine --otp with other flags. For example, to load credentials directly into your shell session:
eval $(pybritive checkout "Britive Azure Tenant/Britive Azure Tenant/Subscription Owner - (Production)" \
--otp 123456 \
--mode azlogin)Note: Each OTP code can only be used once. If your Britive administrator has configured a remember window, you will not be prompted again for OTP on the same resource until that window expires.
Troubleshoot
| Symptom | Cause | Fix |
|---|---|---|
Step Up Authentication required and no OTP provided | --otp flag not provided | Add --otp <code> from your authenticator app |
Invalid OTP or OTP verification failed | Code expired or already used | Wait for the next code to generate (every 30 seconds) and retry |
TransactionNotFound during checkout | OTP code expired while PyBritive was polling for the transaction | Use a fresh code with at least 15 seconds remaining before it rotates |
Not authenticated error | Session expired | Run pybritive login and try again |
Next Steps
- Secrets — view and download secrets from the Britive vault
- Check Out and Check In — request and return temporary credentials