Secure application are often a complex process involving multiple factors of authentication. Many developers use services like Auth0, Firebase and Azure AD/Entra to build user login and sign up flows that connect applications to enterprise IdPs using MFA and 2FA flows. These methods often involve receiving verification codes and time-based one-time passwords (TOTP) to verify accounts.

Hint: TOTP stands for time-based one-time password. You might have used TOTP with Google Authenticator or Duo on a mobile device.

With strict compliance and regulatory requirements testing these apps end-to-end is crucial. This requires special QA techniques and disposable authenticator devices which we will demonstrate in this post. For this example we will use Selenium and Java but the methods for testing TOTP passcodes apply to any integration testing framework.

What we are testing

Let's test a typical MFA authentication flow that uses an Auth0 integration and time-based one-time pass codes to sign-up and verify user accounts. The process looks like this:

Compliance automation

We have a basic VueJS app that uses the Auth0 vue library to launch the authentication flow and handle the user authentication. The process is as follows:

  1. User opens the Vue application and navigates to the sign-up page.
  2. User enters their email and password to create a new account.
  3. Application prompts the user to set up MFA (TOTP).
  4. Auth0 displays a QR code for TOTP configuration.
  5. User scans the QR code with an authenticator app (or test device).
  6. User enters the generated TOTP code to verify setup.
  7. Upon successful verification, the user is logged in and MFA is enabled for future logins.

Note you can find all the code for this example on Github

Testing requirements

In order to test this reliably and without manual intervention we will need:

  • Disposable user email accounts
  • Virtual MFA Authenticators

Luckily, MailSlurp is a free service that provides all these and more. We can use the official MailSlurp Java SDK to create email accounts and generate new OTP codes that work seamlessly with IdPs like Auth0.

How to test OTP in Selenium

Okay let's get started. We assume you have a selenium Java project setup up in maven and the necessary drivers installed. In order to create email accounts and TOTP devices for this test we will also need the library we can obtain from maven central.

Install MailSlurp

For maven, add to your :

For Gradle add the following:

Note: MailSlurp is free, you just need to create an API KEY

We can then import MailSlurp in our tests like so:

Open app and begin login

Great, now for our test. The first step will be to open our demo application that has the Auth0 library installed. This app will begin the MFA flow that asks for a TOTP code.

totp-selenium-1-app.png

Once opened we click the login button:

Create an isolated test account

In order to sign-up we need an email address. Let's create one in MailSlurp. This will be a real disposable email account that can send and receive emails.

Fill sign-up form

Once we have an email account we use it to fill out the username. Next we add a randomized password and click submit.

Once filled the app will look like this:

totp-selenium-3-fill.png

After submitting the sign-up we will see a QR code in order to attach a TOTP device:

totp-selenium-4-qr-code.png

Extract OTPAuth url

A MFA TOTP connection typically involves a QR code that has a special link encoded in it. This link follows a pattern like:

Notice the schema. The rest of the URL contains various elements but the most important is the . This is a base32 encoded secret that allows the TOTP device to generate codes. In our test application we can extract the full OTP Auth url by reading it from the dom. Auth0 adds a special attribute that contains this value:

totp-qr-code-otpauth-url.png

We can extract this code like this:

Note: If you can't see the OTP Auth URL in the dom you can use various other methods to connect the TOTP device (including passing a secret directly, passing a screenshot of the QR code, or the QR code image source). See the TOTP docs

Create virtual TOTP device

Now we need to use an authenticator device for our user to verify the account. We will use MailSlurp to generate an TOTP device using the OTP auth url:

This device will let us generate valid confirmation codes for submitting to the app.

Generate time based one time password

Next we can generate a valid OTP code using the SDK. This code will be valid for a short time as specified in the arguments. We need to then submit it to Auth0 to finish the sign-up:

The submission looks like this:

totp-selenium-5-submit-code.png

And afterwards we need to accept the connection:

totp-selenium-6-accept-authorization.png

Assert account is verified

Voila! Now we have a logged in user with a connected MFA device. We can assert that by checking the user profile:

Here is a screenshot:

totp-selenium-7-logged-in.png

Testing logout / login

Now that our full sign-up is complete we can also test the logout and login process to check that the MFA TOTP connection functions:

Once we log in with the email and password we generated we can see the MFA prompt asking for a new code. Using the same TOTP device we can generate that code and submit it:

Conclusion

We just demonstrated how to test a multifactor authentication user flow using Selenium and MailSlurp's free test TOTP API. Using dummy authenticator devices is a great way to verify security compliance and app functionality in QA and automation environments.

To add MFA testing to your own application or IdP see the documentation or connect with our team.