Skip to content
English
  • There are no suggestions because the search field is empty.

Introduction to Shared Credentials, Browser Recordings and MFA in Edgescan

This article introduces the new model and what you can expect when using it. Edgescan’s Shared Credentials, Browser Recordings, and MFA-aware workflows are designed to make this easier, safer, and more transparent.  

Version Number: v1.0.0

Published Date: 05 Mar 2026

____________________________________________________________________________

Shared Credentials, Browser Recordings, and MFA‑aware workflow functionality is currently in the Beta phase, and will not be generally available until Q2 2026.

What Are Shared Credentials?

Previously, credentials were configured directly on each asset. The same username/password or API key often had to be entered multiple times, which made re‑use, updating, and visibility of credentials difficult.

Shared Credentials are a central library of credentials that live at the organisation level and can be reused across multiple assets.

Key behaviours:

  • Central library
    See all your credentials in one place, rather than hunting through assets individually.
  • Assign instead of duplicate
    Create a Shared Credential once, then assign it to any number of assets that need it.
  • Clear usage visibility
    On both the Shared Credentials page and individual asset pages, you can see:
    • Which credentials are assigned to an asset.
    • Which assets are using a particular credential.
  • Guided management
    Tooltips and improved validation help you configure credentials correctly, and filters let you quickly find the credential you need.

Browser Recordings: Capturing Real Login Flows

Some applications use complex login flows (multi‑page logins, JavaScript‑heavy forms, MFA prompts, etc.). Edgescan addresses this with Browser Recordings, which capture the steps a user takes in a browser during authentication.

In the context of authentication workflows:

  • Record the login journey
    You can record how a user logs in to the application, including:
    • Navigating to the login page.
    • Filling in username/password or other fields.
    • Completing MFA steps (for example, entering an OTP code field during the recording).
  • Assign recordings to assets
    A browser recording can be assigned to an asset as part of its authentication workflow, so the scan engine can replay those steps during an assessment. Our recording will be released with support for Chrome recordings, and Snyk recordings.
  • Map credentials to recording steps
    You can map fields from your Shared Credentials (e.g. username, password, otp_code) to specific input steps in the browser recording.
    This ensures:
    • The browser automation uses values stored in Shared Credentials.
    • The same recording can be reused with different credentials across assets when needed.

MFA‑Enabled Credentials

The new credentials model is designed to work with multi‑factor authentication (MFA) in a repeatable way.

When you create or edit a Shared Credential, you can enable MFA and provide the information required for the scan engine to handle second‑factor steps. This is particularly useful when combined with browser recordings that include MFA pages as part of the recorded flow.

Key capabilities:

  • Add MFA to a Shared Credential
    Configure MFA details alongside username and password so that authentication workflows understand how to complete the second factor.
  • Use QR codes for OTP configuration
    Upload or scan an OTP QR code image to automatically populate the OTP URI and related fields, rather than copying the secret manually.
  • Visibility and support
    • The UI shows whether a Shared Credential has MFA enabled.
    • Admin views expose non‑secret MFA details (such as the target email for email MFA) to help diagnose issues without revealing sensitive values.

These capabilities are designed to let you protect high‑value targets with MFA while still keeping assessments repeatable, reliable and where possible, automated.

Types of MFA Supported in Authentication Workflows

Within this Shared Credentials and browser‑recording model, Edgescan supports several MFA patterns commonly used in web authentication:

OTP (Time‑based One‑Time Password) / Authenticator Apps
  • What it is
    Codes generated by an authenticator app or hardware token (for example, TOTP codes that change every 30 seconds).
  • How it’s configured
    • Upload or scan a QR code during Shared Credential setup to populate the OTP configuration automatically.
    • The scan engine can then generate OTP codes as part of the authentication workflow.
  • How it works with browser recordings
    • During the recording, you include the step where the OTP code is entered.
    • In the authentication workflow, you map the OTP field from the Shared Credential to the OTP input step in the recording, so the correct code is inserted at runtime.
Email‑based OTP (Email MFA)
  • What it is
    A one‑time code is sent to a specific email address, which must then be entered into the application.
  • How it’s configured
    • Configure the target email address in your MFA settings.
    • This email address is visible in the relevant configuration screens so you can confirm the correct inbox is used.
  • How it works with recordings
    • The browser recording includes the step where the email OTP is entered.
    • The authentication workflow can be combined with Edgescan’s MFA handling (for example, via OTP APIs) so that the recorded OTP input step is populated correctly.
SMS‑based OTP (SMS MFA)
  • What it is
    A one‑time code delivered via SMS to a configured phone number.
  • How it’s configured
    • Provide the phone number in the MFA configuration.
    • The UI surfaces this number (for example, in onboarding forms) so it can be easily copied and verified.
  • How it works with recordings
    As with email MFA, your browser recording includes the step where the SMS code is entered, and Edgescan’s MFA handling makes sure the correct code is available to that scan engine at the right time.
API‑Push / Out‑of‑Band MFA
  • What it is
    Workflows where the application or identity provider sends MFA information (such as a code or “approve”/“deny” action) via an API rather than entirely through the browser.
  • How it’s supported
    • Shared Credentials can store API Push MFA details.
    • Edgescan exposes endpoints that allow you to send MFA OTP codes to Edgescan via API, which are then associated with the correct MFA record.
  • How it works with recordings
    • The browser recording covers the UI steps.
    • Any out‑of‑band MFA interaction is coordinated via the MFA APIs and stored details in the Shared Credential.

How It All Fits Together

A typical authenticated assessment setup now looks like this:

  1. Create a Shared Credential
    • Enter username, password and (optionally) MFA details such as OTP configuration, email or SMS information.
  2. Create a Browser Recording
    • Record the full login flow, including MFA steps where applicable.
  3. Map credential fields to recording steps
    • Link specific Shared Credential fields (for example, username, password, otp_code) to the corresponding input steps in the browser recording.
  4. Assign both to the asset
    • Assign the Shared Credential and browser recording to the asset as part of its authentication workflow.

From then on, Edgescan can reliably replay the login flow with the right values and complete MFA as configured, while you manage credentials and MFA centrally and reuse them across assets.

 

Automatic Migration of Existing Credentials

To make sure assessments continue to run without interruption, Edgescan automatically migrates your existing credentials into the new model:

  • Existing asset‑level credentials are converted into Shared Credentials.
  • Where Edgescan cannot safely determine the exact type, credentials are marked as Legacy, but remain usable.
  • You can clean up and modernise these Legacy credentials over time, without losing data or breaking ongoing assessments.

As part of this, Edgescan also ensures that:

  • Assigned credentials are visible on updated asset pages.
  • Asset blockers refresh automatically when you assign or unassign Shared Credentials.
  • Deleting an asset with assigned credentials no longer results in errors.

Benefits for Your Team

With this combined approach of Shared Credentials, browser recordings, and MFA support, you should see:

  • Simpler setup and reuse
    One set of credentials and one recording can serve many assets.
  • Robust handling of complex logins
    Browser recordings capture real‑world flows, while mappings ensure credentials are injected correctly.
  • Practical MFA for automating login workflows
    Support for OTP, email, SMS and API‑push MFA patterns, plus QR‑based configuration, makes strong authentication compatible with automated login workflows.
  • Better visibility and control
    You can see which assets depend on which credentials and recordings, and verify which MFA mechanisms are in use.