What is OTP and why would I use it?

One time passwords (OTP) with MFA are a popular mechanism for securing web applications. Many applications today rely on multi-factor authentication (2FA/MFA) to login and signup users as it is considered more secure than a basic username/password flow.

An example SMS verification form on our demonstration application

MFA means that a user must provide more than a simple password to access an application - they must also verify their identity by another means.

Usually secondary authentication is performed via an SMS one time password that is sent to a user's mobile phone. This code is unique and expires (hence the name OTP or one time password). The user must receive the code and enter it to a confirmation window during sign up. This proves that the user is who they say they are.

Testing MFA and OTP

Testing auth/OAuth using real phone numbers is an excellent way to automate your integration/end-to-end test suite and ensure that your application is properly handling user authentication and security. Using a phone number automation service such as MailSlurp we write a test as follows:

  • create a test phone number
  • use Playwright browser automation to load our application
  • sign up for the app using the test number
  • capture the inbound SMS code in tests and submit it to the app
  • confirm we gain access to the application

In this guide we will show you this exact test using a dummy OAuth SMS app located at playground-sms.mailslurp.com.

Playwright setup

We will use Microsoft's great Playwright tool (avaible in C#, Java, Typescript, NodeJs, and Python) to write an automated browser test that loads our application in chrome and performs checks. We will use Typescript for this example. (Find the code on Github.)

YouTube video thumbnail

Create a test project

First create a new project on your machine with NodeJS.

Install playwright

Setup playwright by installing and configuring it.

You'll see something like so in your directory:

Running tests

Execute tests using the command and view the results in your terminal or with the command. Now let's write some tests for MFA login.

Testing user sign up

To test authentication end-to-end using MFA and SMS we need to use Playwright to load our application, fill out a sign-up form, then capture an SMS code and submit it. Let's do that.

Load the create account page

Our dummy app asks for a phone number and password during sign up.

To begin testing use the object in your test to load the playground login screen:

Use a test phone number

We have created a US phone number in the MailSlurp dashboard and we can fetch it in our tests using the MailSlurp Javascript client.

To create phone numbers please follow the phone number guide.

Fill sign-up form

Next we can use the phone number to fill out the username and password form:

The form will be filled in Playwright like so:

Playwright will use our automated phone number to create a new account.

Wait for and capture SMS

Now we can use MailSlurp to wait for an expected SMS to arrive at our phone number and extract the verification code:

Confirm user SMS OTP

Use the code we extracted to fill the username field:

Confirm the user by submitting the OTP passcode

Then submit the form:

Sign in and view user data

Now sign into the app:

Sign in after confirmation

Submit the login form and expect a greeting:

If successful we will see the greeting screen (a happy dog):

Conclusion

MFA login using two-factor authentication is an important technology for modern web apps. Testing OAuth SMS flows using SMS services like MailSlurp is a great way to verify user authentication in your application. See the developer docs for more information.