Many modern web and mobile applications use modern user account authentication techniques that involve temporary passwords. These one-time passwords (OTP) are sent via email or SMS as part of 2FA two factor authentication in OAuth and SAML applications. Using a free email service we can test username and password authentication methods end-to-end in software applications.

What are OTP passwords?

One time email links are emails that are sent to a user of a website when they enter their email address during login. A server sends the email containing a link or passcode that expires after a short time. This password can be used by the user to sign into an application without requiring a typical permanent password.

Example usage of one time 2FA authentication

AWS provides the Cognito authentication service for logging users into applications using OAuth or SAML username and password. In a demo app we created for this post we can use a simple react app hosted at to sign up for an account on a dummy application. A verification code is then sent to your email address which can be entered into a confirmation screen to confirm the account.

Automated OTP testing with CypressJS

We can test this demo app using Cypress JS and the MailSlurp email API.

Then run to scaffold your tests.

Writing a test to receive OTP emails

The main steps for testing OTP are as follows:

  • Create a test email account
  • Sign up using a test email address
  • Wait for the email to arrive in the account
  • Extract the OTP code and submit it

We can automate that process using a Cypress end-to-end test like the one below.

Creating a dummy email address

Start your test by creating a throwaway email account.

Load playground application in cypress

Next we need to load the app we are testing using :

Fill the login form with email address

Use the inbox email address and submit it to the test application.

Receive OTP username password via email

Once we submit the form wait for the code to arrive using the WaitForController methods. This method will hold the connection open for 30 seconds until the email arrives. It will throw an exception if the email does not arrive before then. Then we use a regex pattern to extract the OTP code and submit it.

Submit the confirmation code and test the welcome

Submit the email one-time password and assert the welcome page is shown.

Then we can see authorized welcome screen:

Why test OTP?

By using disposable email addresses we can test OTP 2FA one time passwords in any real world application. Test your authentication username and password login for real using actual email addresses so you know that your application is functioning.