August 24, 2021

How to Test Two-Factor Authentication: A Guide With Use Cases

Mobile Application Testing

Two-factor authentication (2FA) is commonplace in the day-to-day lives of users. We see 2FA in our emails, SMS text messages, banking apps, and many other platforms. More and more applications we test are implementing some form of 2FA.

In this blog, we will cover what 2FA is, provide some examples, and then show you how to perform 2FA testing with Perfecto.

What Is Two-Factor Authentication?

Two-factor authentication (2FA) is a form of multi-factor authentication (MFA) that strengthens security by requiring two means to authenticate your identity (also known as authentication factors).

The first layer of 2FA is usually the username/password, fingerprint, or Face ID a user provides to authenticate their account and move onto step two. The second layer of authentication is added on top of the first. The second layer may be an email with a confirmation link, SMS containing One-Time Password (OTP), or an installed app.

2FA protects logins against phishing, social engineering, and password brute-force attacks. It also prevents logins from attackers who can exploit weak or stolen credentials.

2FA Authentication Testing Use Cases

Now that we have given a high-level overview of 2FA, let us dive into the details of common 2FA use cases. Automating these must-have cases is key for high-quality apps, fast software delivery, and satisfied customers.

User Registration

When a user registers for an app, they are usually asked to input their name and email address. To validate the email address, the app sends an email containing a confirmation link.

After the user receives the link and opens it, they can continue with registration.

Ring email with 2FA — Ring forcibly enables two-factor authentication (2FA) for all user accounts.

Device Authentication

Sometimes, users need to access their email from a new device. For example, the user takes a trip or buys a new phone. When a user tries to log in on the new device, the email vendor must verify the login is legitimate on an unrecognized device.

To distinguish the real login from a hacking attempt, the email vendor sends a suspicious activity alert and SMS containing an OTP to the registered mobile number. The user logs into the application with the OTP. The security notification alerts the user if there is a security breach.

With Perfecto, you can test on mobile devices and desktop web browsers at the same time. You can create scripts that run on both and then observe the results in parallel.

gmail requiring an OTP 2fa to log into a new device — Google requires an OTP verification to log into Gmail on a new device.

Password Reset

We all are guilty of forgetting our passwords — all of us. Fortunately, apps usually have a simple password reset option. However, the app must ensure that clicking ‘reset password’ is not a hacking attempt. Whenever a user requests a password reset, an OTP goes to the phone number associated with the app. Again, the user enters the OTP and moves on to resetting the password.

Password reset should be included in the testing activities because it is a popular activity among users.

Slack password reset page with 2FA — Slack requires an OTP verification to reset a password.

Banking Transactions

Banking credentials and information are always the most coveted information for hackers. Banks have introduced 2FA into all financial transactions and sometimes even during app logins to ensure the safety of their users.

Example 1: Bank Transfer

When a user makes a bank transfer, the bank requires two-factor authentication in the form of an OTP given by SMS or phone call. If the transaction is legitimate, the user will enter the OTP and continue with the transaction. If the transaction is fraudulent, the transfer is stopped since the OTP is unavailable.

Example 2: Other Bank Operations

No matter if a user logs in, changes a setting, or adds a new beneficiary, a 2FA can be needed depending on the bank’s security policy. If the user inputs the OTP correctly, they can continue using the app. The installed app provides the 2FA confirmation for the performed operation. It is essential for ensuring the user’s protection from fraudulent activities.

Related Reading >> Mobile Banking Application Testing

Testing 2FA With Perfecto

If 2FA is a vital feature that is well on its way to becoming a necessity, then testing 2FA must be a priority. Automating your 2FA testing is an important step toward improving and securing your online and mobile apps.

Look at the example below of Salesforce’s two-factor authentication login flow.

Perfecto with appium login with 2FA — Just received the login verification code via SMS.

The standard Appium APIs do not allow you to access third-party applications, but with Perfecto, this is possible. Below is an example using Perfecto’s APIs to implement the next set of steps.

Launch SMS application.
Retrieve the “code.”
Launch Salesforce1 Application.
Enter the retrieved “code” for verification.

Appium and Perfecto salesforce code string

Salesforce 2fa with phone code — A verification code is sent to the user’s email to verify their account.

Bottom Line

Perfecto allows you to automate 2FA tests for all types of applications. The unified platform experience ensures all your test scenarios are in one place and helps synchronize your QA workflow across applications.

Perfecto can help you test advanced use cases, like two-factor authentication, to release apps sooner and deliver exceptional experiences.

Want to give Perfecto a try? See what the world's only end-to-end continuous testing platform can do for you.

Get Demo

The 2023 State of Test Automation