Great question and perfect timing! We just released WebInspect 21.2 that now includes a way to handle MFA:

WebInspect now offers the ability to automate Two-factor Authentication scans. This is accomplished by installing a lightweight Android app onto a phone or emulator that can capture SMS and Email tokens and pass them back to the scanner for authentication. Once configured, there is no need for user interaction.

Here is a YouTube video on our Unplugged channel for additional information - www.youtube.com/watch

Hey Ebell,

Thanks for the reply, it is really helpful and one small doubt in that 

Can you please let me know on how it can be integrated with VIP tokens?

Thanks in Advance!

Venkatesh Kalli

At this time if you cannot receive the 2FA token via text or email then you will have to either:

1. Use manual intervention,

2. Disable for testing.

The new 2FA feature only supports Two-Factor Authentication (2FA, or MFA) when the token is received via SMS or Email.  For other situations, including CAPTCHA, Virtual PIN Pad, RSA ID Tokens, et al, you can resort to the older Interactive Scan method WebInspect has always offered.  An Interactive Scan in WebInspect allows you to configure a "mostly automated scan", where you then monitor the screen and fill in the human input as it is needed and is brought up on-screen.  You can also combine this with additional authentication layered configurations such as including  Network Authentication, Client-Side Certs, or the standard Login Macro as needed for your particular target.

• Help section:  file:///C:/ProgramData/HP/HP%20WebInspect/Help/WebInspect/index.htm#InteractiveScans.htm