Testing TOTP one time passwords

How to test multifactor authentication end-to-end using email traps to capture OTP tokens.

One-time password (OTP) testing is the new way information management companies are using to counter the recurring security breaches. The earlier password and security system is no longer fertile as hackers have found a way of compromising the system. So to stay ahead, companies are using tools that ensure they confirm that users accessing any data are verified.

Multi-factor authentication security system is one of the most used security tools organizations are currently using. So what is MFA? And how is OTP integrated with this tool?

What is MFA (multi-factor authentication)?

The term "multi-factor authentication" simply describes the various identity checks a user must pass in order to access digital data. A password check and a biometric identification test are two examples of the tests a user may encounter. The user's fingerprint prong or face is scanned and verified in biometric identification.

So how does OTP testing fit into this situation?

Understanding OTPs

OTP testing refers to the process of receiving a pin to enter to complete the login process whenever you want to make a transaction, such as with your bank application.

A six-digit code is frequently sent, and you can receive it via email or SMS. And they expire after the time set by the service provider, and you are told the expiration time in advance.

Different algorithms are used to generate OTPs. This project uses the well-known algorithm known as the time-based one-time password. The reason it is time-based is that password generation is influenced by time right now.

So what are the major reasons for OTP testing?

Reasons for OTP Testing

OTP integration's primary goal is to ensure the user has access to it and is aware of the address where this code is being sent.

Before integration, it's critical for businesses to understand how otp functions. One way to ensure the mode of operation is what you want before launching the app for this security strategy is to perform OTP testing. OTP testing is the best way to make sure of this.

Some of the things you check regarding the operation during OTP testing are:

  • date of password expiration
  • Check that your password only works once per session.
  • Check how quickly the device's email or SMS inbox receives this OTP.

How to Perform OTP Testing

A variety of options are available to you for testing outgoing emails and SMS messages, depending on your needs and expertise. The best platform is MailSlurp which offers unlimited email accounts on demand and real phone numbers for SMS testing.

You can get assistance from a fully-hosted application or platform. They cover most testing needs with their virtual SMTP and SMS testing servers, support for a wide range of languages, and testing frameworks.

For instance, using an SMS testing API only needs a few lines of code to retrieve your OTP password and continue your test. An example test might look like this:

await page.click('[data-test="sign-up-create-account-button"]');
// wait for verification code
const sms = await mailslurp.waitController.waitForLatestSms({
  waitForSingleSmsOptions: {
    phoneNumberId: phone.id,
    unreadOnly: true,
    timeout: 30_000,
  }
})
// extract the confirmation code (so we can confirm the user)
const code = /([0-9]{6})$/.exec(sms.body)?.[1]!!;

DIY testing

Utilizing an app, you can check OTP functionality. One method would be to use a Java server library, such as GoogleAuth, to implement the one-time password algorithm. This library creates TOTP passwords. You could create a secret in your backend service using GoogleAuth, import the secret using GoogleAuth code, and confirm that the code actually creates a legitimate TOTP 6-digit code.

Conclusion

OTP testing is crucial, especially if the application under development automates logins or banking services. It aids in ensuring that every aspect of the verification process is authentic and credible.