Skip to content
OTP and Step-Up Authentication

OTP and Step-Up Authentication

Overview

Some Britive profiles and secrets are configured to require step-up authentication — a one-time password (OTP) in addition to your standard login. This prevents access to sensitive resources even when your Britive session is already active.

What you’ll learn:

  • How to view a secret that requires an OTP
  • How to check out a profile that requires an OTP

Before You Begin

  • PyBritive installed and authenticated — see Getting Started
  • Microsoft Authenticator (or another TOTP app) enrolled for your Britive account
  • At least one secret or profile configured with step-up authentication

Note: Profile and secret names in this tutorial are from the Britive demo tenant. Replace them with your own from pybritive ls profiles and pybritive ls secrets.

Use OTP with PyBritive

View a secret that requires OTP

Without the --otp flag, PyBritive returns an error:

pybritive secret view "/Britive Team Secrets/LearningSiteSecretMFA"
Error: Step Up Authentication required and no OTP provided.

Open Microsoft Authenticator and get the current code for your Britive account. Pass it with the --otp flag:

pybritive secret view "/Britive Team Secrets/LearningSiteSecretMFA" --otp 123456

Replace 123456 with the current code from your authenticator app. The secret value is returned immediately.

Tip: TOTP codes expire every 30 seconds. Run the command immediately after noting the code to avoid an expiry error.

Check out a profile that requires OTP

The --otp flag works the same way for checkout:

pybritive checkout "Britive Azure Tenant/Britive Azure Tenant/Subscription Owner - (Production)" --otp 123456

You can combine --otp with other flags. For example, to load credentials directly into your shell session:

eval $(pybritive checkout "Britive Azure Tenant/Britive Azure Tenant/Subscription Owner - (Production)" \
  --otp 123456 \
  --mode azlogin)

Note: Each OTP code can only be used once. If your Britive administrator has configured a remember window, you will not be prompted again for OTP on the same resource until that window expires.

Troubleshoot

SymptomCauseFix
Step Up Authentication required and no OTP provided--otp flag not providedAdd --otp <code> from your authenticator app
Invalid OTP or OTP verification failedCode expired or already usedWait for the next code to generate (every 30 seconds) and retry
TransactionNotFound during checkoutOTP code expired while PyBritive was polling for the transactionUse a fresh code with at least 15 seconds remaining before it rotates
Not authenticated errorSession expiredRun pybritive login and try again

Next Steps

Last updated on