OTP Testing: How to Test Email, SMS, and MFA Codes in CI

If you searched for , , , or , you are probably trying to solve one of two problems:

• prove that auth and recovery flows work before release, or
• stop brittle OTP checks from breaking CI and staging runs.

This guide explains what OTP testing should cover, how it differs from broader MFA testing, and how to build deterministic checks for email, SMS, and time-based codes.

Quick answer

Good OTP testing should prove that:

• the right code or link is sent to the right channel
• the code arrives within an acceptable time budget
• the token expires when it should
• retries and resends behave correctly
• one-time use is enforced
• rate limits and abuse controls work
• the full signup, login, or recovery workflow completes successfully

If you only check that "a code was sent," you will miss the failures that matter most.

What OTP testing actually means

OTP testing is the process of validating one-time-password or one-time-code flows under realistic conditions.

That usually includes:

• email OTP codes
• SMS verification codes
• magic links
• recovery codes
• MFA or 2FA prompts tied to authenticator apps

In practice, teams are not only testing the code itself. They are testing the delivery path, expiry rules, user journey, and error handling around the code.

OTP testing vs MFA testing vs TOTP testing

These terms overlap, but they are not identical.

OTP testing

Focused on one-time codes or links used to verify a user action.

Examples:

• signup verification code
• login OTP
• password reset code
• email confirmation link

MFA testing

Focused on the wider multi-factor flow, including:

• factor enrollment
• factor selection
• challenge and response
• fallback or recovery
• account lockout and retry behavior

TOTP testing

Focused on time-based one-time passwords generated from a shared secret, usually in an authenticator app.

Examples:

• Google Authenticator
• Authy
• Microsoft Authenticator
• in-app TOTP device enrollment

If your product uses authenticator apps, see TOTP and authenticator device testing.

Why OTP testing matters

OTP failures do not just create "minor auth bugs." They hit important business paths:

• new-user activation
• account access and login
• password reset
• payment and payout confirmation
• security-sensitive account actions

When those flows fail, the result is usually immediate:

• lower signup conversion
• higher support volume
• false fraud flags
• broken CI release gates
• lost confidence in the auth system

That is why should be treated as a release-risk topic, not a niche security afterthought.

What to test in an OTP workflow

1. Delivery and arrival

Start with the obvious question: does the code or link actually arrive?

Test:

• delivery to the correct email address or phone number
• acceptable latency under normal load
• delivery under staging and CI conditions
• provider-specific failures or delays

For email and SMS flows, MailSlurp gives teams real inboxes and real phone numbers that can be controlled in code:

• Email integration testing
• Phone number and SMS service
• Test SMS OTP and MFA using Playwright

2. Extraction

The next problem is reading the code or link reliably.

Test:

• code extraction from plain text and HTML email
• SMS code extraction from message body
• magic-link parsing
• template changes that move or rename important content

This is where brittle regex-only checks often break. You want deterministic assertions with known subjects, sender filters, and message matching rules.

3. Expiry and one-time use

One-time codes are not only about delivery. They are security controls.

Test:

• token expires after the expected TTL
• expired code is rejected
• successful use invalidates the token
• previously sent codes do not remain valid after resend

These checks catch a surprising number of production regressions, especially after auth refactors.

4. Retry, resend, and lockout behavior

Users do not always succeed on the first attempt. Good OTP testing must cover the real retry lifecycle.

Test:

• resend cooldowns
• invalid attempt counters
• account lock or step-up friction after repeated failure
• user-visible error messaging
• supportable recovery paths

5. Workflow completion

The final question is not "did we send a code?" It is "did the user complete the intended workflow?"

Test the full path:

• create account
• trigger verification
• receive code or link
• submit or open it
• reach the success state

This is why OTP testing belongs in end-to-end testing, not just unit tests on token generation.

Email OTP testing

Email OTP flows are common for:

• signup confirmation
• magic link login
• account recovery
• device verification

The main risks are:

• code not arriving
• wrong sender or subject causing filters to miss the message
• HTML/template changes breaking extraction
• verification links pointing at stale environments

Good email OTP testing uses fresh inboxes per run instead of shared QA accounts. That removes flaky state and makes message matching reliable.

Useful starting points:

• OTP email testing guide
• Email sandbox
• Email compatibility tester

SMS OTP testing

SMS OTP flows are common for:

• login verification
• signup confirmation
• account recovery
• step-up security checks

The main risks are:

• delayed delivery
• resend confusion
• region or carrier differences
• number formatting issues
• tests depending on one shared phone number

For those flows, you want real numbers under API control, not fake test doubles.

Useful starting points:

• SMS API
• Receive SMS API
• Test SMS OTP and MFA using Playwright
• Testing SMS-based authentication

Magic link testing

Some teams search for when the real artifact is a magic link rather than a numeric code.

Magic-link testing should cover:

• correct destination environment
• one-time use
• expiry
• invalidation after password change or session change
• link extraction from HTML and text fallbacks

This is usually best handled with the same inbox-based testing pattern used for email OTP.

TOTP and authenticator app testing

TOTP is different because the code is generated from a shared secret and time window, not delivered through email or SMS.

Test:

• factor enrollment
• QR secret handoff
• correct time-window validation
• drift tolerance
• backup and recovery factors
• device reset or re-enrollment

If your system uses authenticator apps, do not rely on only one happy-path login test. TOTP flows often fail around enrollment, reset, and secret rotation.

See:

• TOTP device and authenticator testing
• Auth0 Playwright TOTP automation example

How to automate OTP testing in CI

The safest pattern is:

1. provision a fresh inbox or phone number
2. trigger the auth workflow in your app
3. wait for the expected email or SMS using deterministic filters
4. extract the code or link
5. submit it back into the app
6. assert the authenticated or recovered state

This works well in Playwright, Cypress, Selenium, Postman-driven workflows, and other framework stacks.

Good framework entry points:

• Playwright email testing
• Cypress email testing
• Selenium email testing
• Authentication testing solution page

Common OTP testing failures

Shared test inboxes

Tests read the wrong code because multiple runs are using the same mailbox or number.

Resend logic not covered

The team tests first-send only, then production users trigger a resend bug that invalidates the wrong token.

Expiry not tested

The code works in one test path but remains valid for too long.

Extraction assumes one template

The parser works until the email or SMS copy changes slightly.

Happy-path only coverage

The team tests successful verification but never tests:

• wrong code
• expired code
• max attempts
• recovery path
• fallback factor

OTP testing checklist

Use this checklist before release:

1. verify code or link arrives in the expected channel
2. verify arrival time stays within budget
3. verify extraction is deterministic
4. verify expiry works
5. verify one-time use is enforced
6. verify resend invalidation rules
7. verify lockout and retry behavior
8. verify success state in the real workflow
9. verify failure states are understandable
10. verify artifacts are captured for debugging

How MailSlurp helps

MailSlurp leads when teams need to move OTP testing out of manual QA and into repeatable automation.

Use it for:

• fresh inboxes and phone numbers per test run
• waiting for email or SMS messages with filters
• extracting OTP codes, magic links, and message content
• capturing evidence in CI and release workflows
• combining auth testing with rendering and deliverability checks

Good next steps:

• Authentication testing
• Email integration testing
• Phone number and SMS service
• TOTP testing

FAQ

What is OTP testing?

OTP testing is the process of validating one-time-password or one-time-code workflows, including delivery, extraction, expiry, one-time use, and successful completion of the surrounding user journey.

Is OTP testing the same as MFA testing?

Not exactly. OTP testing focuses on the one-time code or link. MFA testing covers the wider multi-factor flow, including enrollment, fallback, and factor management.

How do you test SMS OTP in CI?

Use real phone numbers that can be controlled in code, wait for the inbound SMS, extract the code, and complete the app flow automatically.

How do you test email OTP without flaky inboxes?

Create isolated inboxes per test run, filter messages deterministically, and assert the code or magic link in code instead of sharing one QA mailbox.

Should OTP testing include expiry and resend logic?

Yes. Those are some of the most important failure modes because they break real users even when initial delivery works.

Final take

The best strategy is not about checking a six-digit code in isolation.

It is about proving that email, SMS, magic-link, and MFA workflows behave correctly under real conditions, with deterministic evidence the team can trust before release.