Reliably automating two-factor authentication testing with Selenium

Two-factor and multi-factor authentication (2FA and MFA) are technologies that require little introduction. We’ve all received a code from our bank to login, and we’ve likely all had frustrating experiences when one-time passcodes like this don’t arrive, or don’t work properly.

Clearly, authentication processes are an important step to ensure security for you, and your customer, but it’s also an area where frustration can creep in if the process doesn’t work as intended. That’s why testing 2FA/MFA is so important, but not always easy to do, even with Selenium.

This article will explain the challenges, and how to effectively test authentication processes.

Why test 2FA/MFA?

2FA/MFA is something that’s essential if you handle sensitive information, but because it’s a process that sits outside your app or website, it’s one that’s tricky to test and, as a result, often gets overlooked. But the fact is, if your authentication process doesn’t work as intended, in as short a time as possible, people will get frustrated. This will lead to negative opinions and complaints about your product. That’s too important to ignore.

The problem Selenium users face

While Selenium is an excellent tool for replicating user actions and clicks, it's primarily designed for simulating web browsers experiences and has no native functionality to deal with phone numbers or email addresses. Furthermore, most testers only have access to their own phone to test with. This means they can only test with their own phone number, or a specific app, to gather One-Time Passwords (OTPs), which just doesn’t scale (particularly if you like to take the odd vacation).

How can you test 2FA/MFA with Selenium?

Selenium has the potential to run the tests required to ensure effective 2FA/MFA. It just requires the integration of a tool like Mailosaur. Doing this allows users a much wider suite of tools for testing 2FA/MFA, in every scenario imaginable.

Whether it’s using dedicated testing phone numbers (available in many countries), Mailosaur Authenticator which simulates 2FA apps like 0Auth, Google Authenticator, and more, or unlimited email addresses to capture and test email with, you can use a tool like Mailosaur to ensure authentication codes work as intended.

Plus, you can automate the process in Selenium, so every scenario is regularly checked as part of continuous deployment and regression testing.

To give you an idea, here’s want a typical test to capture an OTP via SMS would might look like with Mailosaur:

String apiKey = "YOUR_API_KEY";
String serverId = "YOUR_SERVER_ID";

// Add Mailosaur testing phone number to this variable
String phoneNumber = "PHONE_NUMBER";

// Instantiate Mailosaur client with api key
MailosaurClient mailosaur = new MailosaurClient(apiKey);

// 1 - Perform an action that sends an otp SMS message to your number (e.g. login)
// https://mailosaur.com/docs/sms-testing

// 2 - Create the search criteria for the sms
MessageSearchParams params = new MessageSearchParams();
params.withServer(serverId);

SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.withSentTo(phoneNumber);

// 3 - Get the sms from Mailosaur using the search criteria
Message sms = mailosaur.messages().get(params, searchCriteria);

// 4 - Retrieve passcode from sms
Code passcode = sms.text().codes().get(0);

System.out.println("SMS OTP code:" + passcode.value());

If you wanted to do the same, but using an authenticator app, here’s how you would capture a code using Mailosaur Authenticator:

String apiKey = "YOUR_API_KEY";

// Instantiate Mailosaur client with api key
MailosaurClient mailosaur = new MailosaurClient(apiKey);

/**
 * This is a base32-encoded shared secret.
 * Typically this is the value shown to a user if they cannot scan an on-screen QR code.
 * Learn more at https://mailosaur.com/docs/mfa
*/
String sharedSecret = "ONSWG4TFOQYTEMY=";
OtpResult currentOtp = mailosaur.devices().otp(sharedSecret);

System.out.println("Authenticator OTP code:" + currentOtp.value());