Testing 2-Factor Authentication

Learn how to pass a verification code in your test.

Some applications require an additional layer of security besides username and password. For example, a popular method is to use 2-Factor Authentication (2FA), which requires you to provide additional identifying information. You can, of course, disable this extra security for certain test users or your entire test environment. In this article, we show you how to test the most common 2FA methods.

Testing a Sign-Up Process That Requires Email Verification

In this example, the application requires users to verify their identity via email when signing up for a new account by retrieving a verification code sent to their email inbox. Follow these steps:

  1. Key in an email address and password on the Sign-up page to create a new account.
  2. Navigate to the email inbox associated with the email address.
  3. Retrieve the verification code from the email you received.
  4. Key in the verification code where required and submit the sign-up request.

To accomplish this test, Rainforest provides test data built into the platform, such as {{random.email}} and {{random.inbox}}. By inserting these placeholders into your test steps, a random and unique email address is generated each time you run the test, as well as a hyperlink to the email inbox.

Writing a Test Using the Visual Editor

Writing a Test Using the Plain-Text Editor

Testing a Sign-Up Process That Requires SMS Verification

In this example, the application requires users to verify their identity via SMS when signing up for a new account by retrieving a verification code sent to an SMS inbox. Follow these steps:

  1. Key in unique information and an SMS number on the Sign-up page to create a new account.
  2. Navigate to the SMS inbox associated with the phone number you provided.
  3. Retrieve the SMS code from the inbox.
  4. Key in the SMS code where required and submit the sign-up request.

To accomplish this test scenario, Rainforest provides two ways to get SMS numbers and inboxes. Both options provide you with an SMS number in +1NNNNNNNN format and a link to the number’s associated SMS inbox. You insert test data placeholders into your test steps, such as {{sms.number}} and {{sms.inbox}}.

  1. Public SMS numbers and inboxes. Use Rainforest’s pool of 40 SMS numbers and associated inboxes, which are available in your account. Note that these numbers are shared across our client base. The inboxes are wiped between uses. For example, suppose the numbers are in use by another client. In that case, your test run might be queued until the numbers are available. Learn more.
  2. Private SMS numbers and inboxes. Purchase your own dedicated pool of SMS numbers and inboxes from Rainforest. This is a good solution when your test suite is large enough to require more than 40 numbers, or you don’t want to share numbers with other customers. Learn more.

Note: For testing sign-up flows with SMS numbers, you must set up a system to clean out the test data (phone numbers and inboxes) from your system between test runs. That way, your system recognizes the phone numbers as brand-new sign-ups each time your test runs. We suggest using your CI tool or Rainforest webhooks for test data management.

Testing a Sign-In Process Using a One-Time Password Sent via Email

If your application requires existing accounts to authenticate via an OTP sent via email, we suggest following these steps:

  1. Compile the data your tests require you to log in to your test accounts and their associated email inboxes using a dynamic data table.
    1. The header columns of your file contain the placeholders required to log in to the test account and log in to the email inbox to retrieve the verification code. For example, use something such as “Username,” “Password,” “Email Address,” and “Email Password.”
    2. The rows contain the sets of login credentials for the test accounts you want to use.
  2. On the sign-up page, insert the username and password placeholders you included in your dynamic data table, such as {{login.username}} and {{login.password}}.
  3. Navigate to the email inbox associated with the email and complete the steps required to log in to the inbox. Note that you must have uploaded the credentials in your dynamic data table, such as {{login.email}} and {{login.emailpass}}.
  4. Open up the received email and retrieve the verification code.
  5. Navigate to the sign-up page and key in the verification code.

Testing a Sign-In Process Using a base32-Encoded Secret to Generate a One-Time Password

Rainforest allows you to issue the OTP by passing the user’s verification code or secret, which you add as test data.

🚧

Security Tip

Exposing sensitive data such as login credentials introduces risk. Only use this technique for test accounts and test environments.

Getting Started

Add a base32-encoded secret as static test data in Rainforest. Assume the placeholder is called {{logins.otp_secret}}. Then use {{ rainforest.otp({{logins.otp_secret}}) }} as the content for a Fill or Type action. This will be replaced during the test execution with the correctly generated otp code.

Make sure that your base32 secret consists only of uppercase letters and the numbers 2-7.

When using the Tester Community:

For tester community tests a different approach is required. Use the following template:

Action
Navigate to “https://otp.rainforestqa.com/code/{{logins.otp_secret}}” in a new browser tab.
Copy the code shown within 15 seconds.
Paste the code into the box on the previous tab.
Confirmation
Is the login confirmation screen visible?


If you have any questions, reach out to us at [email protected].