How to Write Test Cases for OTP Verification

Whether it's online banking, e-commerce transactions, or accessing personal data, ensuring that only authorized users gain access is critical. A widely adopted security measure is One-Time Password (OTP) verification.

Writing effective test cases for OTP verification helps ensure correct functionality and helps avoid security breaches. This blog will discuss how to write comprehensive test cases and best practices for following them.

Understanding OTP Verification

A One-Time Password (OTP) is a unique, temporary code for a single use. Unlike traditional passwords, OTPs are valid for only one use, reducing the risk of unauthorized access.

You can receive an OTP via SMS, email, authenticator apps, voice calls, or push notifications. OTP verification mitigates risks associated with static passwords, such as hacking, phishing, and credential stuffing.

OTPs are commonly seen during banking transactions, e-commerce purchases, password recovery, or account registrations.

While OTPs are helpful, network problems, delays in OTP delivery, and, in extreme cases, the interception of OTPs can cause serious concerns. It is always a good practice to perform tests to ensure correct OTP functionality. To understand this, let’s find out how to write test cases for OTP verification. First, preparation.

Preparing to Write OTP Test Cases

Gather Requirements

Before writing test cases, it's crucial to understand the application's OTP functionality thoroughly:

• OTP Generation Logic: How is the OTP generated? Is it time-based, random, or sequential?
• Validity Period: How long is the OTP valid?
• Retry Limits: How many attempts are allowed?
• Delivery Methods: Which channels are used to send OTPs?
• Error Handling: How does the system respond to invalid inputs?

Identify Test Scenarios

Some test scenarios could be:

• Successful Verification: User enters the correct OTP within the validity period.
• Invalid OTP Entry: User enters an incorrect OTP.
• Expired OTP: OTP is used after its validity period.
• Multiple Requests: User requests OTP multiple times.
• Network Failures: OTP delivery fails due to connectivity issues.

Set Up Test Environment

• Testing Tools: Real devices ensure you test on true network conditions. This provides authentic cellular connectivity essential for testing SMS and voice call OTPs.
• Access Rights: Obtain necessary permissions to test all aspects of the OTP process.
• Simulate Environments: Set up environments that mimic production settings, including network conditions.

Define Test Data

Prepare a mix of:

• Valid Data: Correct OTPs within the validity period.
• Invalid Data: Incorrect OTPs, expired OTPs, and malformed inputs.
• Boundary Cases: Inputs at the edge of validity, like before expiration.

Understand Acceptance Criteria

Clearly define what counts as a pass or fail for each test case. This could include:

• Success Messages: Confirmation upon successful OTP entry.
• Error Messages: Appropriate feedback for invalid or expired OTPs.
• Security Responses: Account lockout after repeated failed attempts.

Once you’ve prepared well, writing test cases becomes easy. So, what would an effective OTP test case include?

Read: Step-by-Step Guide to  Mobile App Security Testing

Writing Effective OTP Test Cases

Structure Test Cases Properly

A well-structured test case should include:

• Test Case ID: Unique identifier.
• Description: Brief explanation of the test case.
• Preconditions: Any setup required before execution.
• Test Steps: Detailed steps to execute the test.
• Test Data: Specific data inputs are required.
• Expected Result: The anticipated outcome.
• Actual Result: The outcome after execution (filled during testing).
• Status: Pass or Fail (determined during testing).

Cover Positive Scenarios

• Valid OTP Entry: Verify access is granted when the correct OTP is entered.
• Resend OTP: Ensure the user can request a new OTP if needed.

Include Negative Scenarios

• Invalid OTP Entry: Test how the system handles incorrect OTPs.
• Expired OTP: Verify that an OTP cannot be used after its validity period.
• Multiple Failed Attempts: Check account lockout mechanisms.
• SQL Injection/XSS: Test for vulnerabilities in OTP input fields.

Test Edge Cases

• Rapid Submissions: Enter OTPs quickly in succession to test rate limiting.
• Multiple OTP Requests: Request multiple OTPs and test which one remains valid.
• Empty Fields: Submit the form without entering an OTP.
• Long Inputs: Enter OTPs longer than expected to test input validation.

Ensure Reusability

• Modular Test Cases: Write test cases that can be easily adapted for future changes.
• Clear Documentation: Provide detailed descriptions and rationales.

Considering all this, let’s look in more detail at what test cases for OTP verification must include.

Also read: Guide to FinTech App Testing For Improved Functionality and Security

Test Cases for OTP Verification

1. OTP Generation and Delivery Tests

• Verify OTP Generation: In this OTP scenario, Confirm that OTP is generated correctly and meets the specified complexity (e.g., 6-digit numeric code).
• OTP Delivery Channels: Test OTP delivery across various channels, such as SMS, email, and push notifications, ensuring they are received promptly.
• Single OTP Generation Per Request: Ensure only one OTP is generated per authentication request, preventing multiple codes from being issued for the same request.

2. OTP Expiry Tests

• OTP Expiry Time: Verify that the OTP expires within the configured time limit, e.g., 30 seconds or 1 minute.
• Expired OTP Rejection: Ensure that expired OTPs are rejected and that an appropriate error message is displayed to the user.
• Time Sync Check for TOTP: In Time-based One-Time Password (TOTP) systems, validate that the OTP is synchronized with server time and accommodates minor time drift if allowed.

3. OTP Reuse and Multiple OTP Tests

• Single-use OTPs: Confirm that OTPs cannot be used more than once.
• New OTP Invalidation: Verify that generating a new OTP invalidates any previous OTP, preventing the reuse of old codes.
• Concurrent OTPs: Ensure only the most recent OTP remains valid, and all previous OTPs are invalidated upon generation of a new one.

4. Rate Limiting and Brute Force Protection Tests

• Failed Attempt Lockout: Confirm the account is temporarily locked after a set number of failed OTP entries.
• IP Blocking: Ensure rate-limiting is in place to block repeated OTP requests from the same IP address, preventing potential brute-force attacks.
• Error Messaging: Verify that clear error messages (e.g., "Invalid OTP") are displayed to prevent attackers from gathering information.

5. OTP Length and Complexity Tests

• Minimum OTP Length: Confirm OTPs are generated with the required minimum length, such as 6 digits.
• Randomness: Ensure that OTPs are generated using a secure random function and are unique, reducing predictability.
• Keyspace Check: Verify the OTP generation process meets security standards for complexity, preventing simple or repetitive patterns.

6. Logging and Notifications

• OTP Usage Logging: Confirm that all OTP generation and validation attempts are logged for security monitoring.
• User Notifications: Verify that users receive a notification (e.g., via email or SMS) whenever an OTP is used for login, including time and location details for security awareness.

7. Session Management and Security Tests

• Session Validation: Confirm that OTPs are tied to specific user sessions and cannot be reused across sessions.
• Session Expiration: Ensure sessions are terminated after the OTP expires, preventing unauthorized access.
• Direct API Access Security: Test if bypassing OTP via direct API requests or any other back-end routes is possible, ensuring all routes enforce OTP authentication.

8. Edge Case and Usability Tests

• Network Delays: Test OTP delivery under various network conditions to assess user experience when experiencing delays.
• Multiple Requests: Verify that multiple OTP requests do not result in delayed OTP delivery or cause confusion.
• Accessibility Testing: Adhere to accessibility standards and confirm that OTP authentication flows are accessible to all users, including those with disabilities.

9. Backup and Recovery Tests

• Recovery Codes: Verify that recovery codes, if used, are securely generated, stored, and only allowed for one-time use.
• Alternative Authentication: Test alternative authentication methods for users who cannot access OTP (e.g., due to device loss), ensuring they meet security standards.

10. Multi-factor Authentication Integration Tests

• MFA Integration: Ensure OTP integrates well as a second factor in multi-factor authentication setups where OTP is required in addition to a password.
• Bypass Attempts: Test the system for vulnerabilities by bypassing OTP through federated login options, APIs, or privileged accounts.

With that, you should expect OTP testing to yield impactful results. What other best practices can you keep in mind for OTP testing?

Check out: A Guide to 5G network performance testing

Best Practices for OTP Testing

Use Automation Tools

Automating OTP testing can significantly increase efficiency:

• Automated Scripts: Use tools like Selenium or Appium to automate OTP entry and validation.
• Simulate OTP Generation: Mock OTP generation to bypass external dependencies during testing.

Test on Real Devices

• Actual User Conditions: Testing on real devices ensures the OTP feature works across different hardware and software configurations.
• Device-Specific Issues: Identify problems that may not appear on emulators or simulators.

Simulate Network Conditions

• Variable Connectivity: Test under different network strengths, including 2G, 3G, 4G, and unstable connections.
• Airplane Mode: Check how the app behaves when the device is offline.

Monitor Logs and Reports

• Server Logs: Analyze backend logs to verify OTP generation and validation processes.
• Error Tracking: Use monitoring tools to catch exceptions and errors in real-time.

Ensure Security Compliance

• Data Encryption: Verify that OTPs are transmitted securely over encrypted channels.
• Compliance Standards: Ensure adherence to GDPR, PCI DSS, or HIPAA where applicable.
• Vulnerability Scanning: Conduct security testing to identify potential weaknesses.

Conclusion

Thorough testing of OTP verification processes is essential to maintaining an application's security and trustworthiness. By writing detailed test cases and following best practices, testers can locate and fix potential issues in the OTP workflow. This enhances the application's security and improves user experience by ensuring reliable and smooth authentication processes.

HeadSpin offers a robust platform for testing and monitoring mobile applications, including OTP verification features. With access to real devices and advanced automation capabilities, HeadSpin enables teams to validate OTP processes across various environments efficiently, ensuring a seamless user experience.

Connect now.

FAQs

Q1. Can OTP testing be automated?

Ans: Automating OTP testing can improve efficiency and accuracy by simulating user interactions and OTP processes. Automation tools can handle repetitive tasks and validate the OTP functionality across different scenarios.

Q2. Why should testing be done on real devices?

Ans: Testing on real devices ensures the application performs correctly under user conditions and device-specific scenarios. It helps identify issues that may not surface in emulators or simulators, such as hardware compatibility problems or real-world network conditions.

Q3. How do network conditions affect OTP verification?

Ans: Network issues can delay OTP delivery or verification, leading to a poor user experience. Testing under various network conditions helps ensure that the OTP system remains reliable and provides timely authentication regardless of connectivity challenges.