Testing SMS based authentication (2FA/OTP)

  • Table of contents

How to test applications that use two-factor (2FA) authentication and one-time TXT/SMS message passwords and codes.

MailSlurp provides a phone number and SMS API for testing application login flows using real messages. By testing with SMS you can be certain that your application 2FA/MFA/OAuth flow is functioning correctly.

Many applications use SMS one-time passcodes to verify a users. We can test this functionality with MailSlurp.

What is SMS 2FA and OTP?

SMS two-factor authentication is a common method of verifying user identity during application sign up. During the auth flow a txt message containing a secret code is sent to the user's mobile phone. The application then asks the user to enter the code to prove that they have access to the mobile and are therefore the user in question.

what is otp

How can we test this?

Testing application is a very important part of software development. But testing SMs login can be difficult if each user is tied to a real phone number. For that reason many devs use MailSlurp to generate real phone numbers and use these in tests to capture inbound txt messages and extract their content.

This process is often written in an automated test framework like Selenium, CypressJS or Playwright in conjunction with the MailSlurp plugin. Here is an example of what waiting for an expected SMS message looks like:

await page.click('[data-test="sign-up-create-account-button"]');
// wait for verification code
const sms = await mailslurp.waitController.waitForLatestSms({
  waitForSingleSmsOptions: {
    phoneNumberId: phone.id,
    unreadOnly: true,
    timeout: 30_000,
// extract the confirmation code (so we can confirm the user)
const code = /([0-9]{6})$/.exec(sms.body)?.[1]!!;

SMS testing Features

With MailSlurp you can create test phone numbers in multiple regions including US and UK. These numbers can be controlled in code and tests to verify test users. Test your application in any language or framework, submit the phone number during sign-up, then use MailSlurp's waitFor methods to capture the expected SMS and extract a confirmation code. Use this confirmation code to complete sign-up with a test user and confirm authentication in your application.

sms otp testing sequence

If you're ready to try it out see these links below to get started or read on for more details: