How to Write Test Case For OTP Verification With Samples

One-time passwords, or OTP, are a necessary step to secure data and authenticate the users. Any online transaction, including credit/debit cards, ask for OTP to ensure the trustworthiness of the payer. Being the most critical security aspect of monetary transfers, OTP functionality requires proper testing and accurate verification. We guide you to create OTP test cases in this blog with examples. It will help you understand the test case design techniques and apply the same to other areas of testing.

What is OTP?

OTP is a dynamic authentication code valid for a single use, enhancing security in online transactions. Typically delivered via SMS or generated by authenticator apps, OTP adds an extra layer of protection beyond traditional passwords. Its necessity lies in preventing unauthorized access, reducing the risk of identity theft, and ensuring secure financial transactions.

For instance, when logging into a banking portal, the user receives a time-sensitive OTP on their registered mobile, confirming their identity and safeguarding against potential cyber threats. OTPs play a crucial role in fortifying digital interactions and bolstering user authentication protocols.

Why Use OTP?

By now, you know that OTPs are essential to preventing identity theft. But their usage is not limited to just a single benefit. They are pivotal for enhancing security in digital interactions. Unlike static passwords, OTPs provide dynamic authentication, reducing the risk of unauthorized access. They are crucial in safeguarding sensitive data during online transactions, account logins, and identity verification processes. The time-sensitive nature of OTPs ensures that even if intercepted, they become obsolete after a short period, adding an extra layer of protection. OTPs are basically fighting cybercrimes singlehandedly, one authentication at a time.

Why is OTP Testing Performed?

In one line, OTP testing is performed to reduce or eliminate the risks associated with unauthorized access to security flows. However, the long answer explores the multi-faceted properties of OTP that all need proper testing, and all of them necessitate rigorous testing:

• OTPs are time-sensitive; testing ensures that OTPs expire appropriately, preventing the use of outdated codes for security purposes.
• OTP tests add an extra layer of protection to a number of security actions, such as generating new passwords, triggering monetary transactions, and blocking online transfers in some cases.
• Rigorous testing helps identify vulnerabilities and weaknesses that could be exploited by attackers attempting to bypass the OTP authentication.
• Overall, OTP testing is essential to verify the effectiveness, reliability, and security of the authentication process.

Let’s take a real-life example of logging into Gmail from a new device. Whenever an existing Gmail account is logged in from a new device, a notification message comes on the older device to authenticate the login attempt. Below is the image showing the 2-step verification process:

Image source

Although this process is different from OTP, the function is the same: both verify the identity of the user doing the login or transaction.

Test Cases For OTP

Many feel that the role of OTP is fairly simple, no matter how critical. So, there would be test cases for OTP that are easily executable. However, the reality is different from this thought. Robust testing of One-Time Passwords (OTPs) is paramount, which shows the many OTP tests that are necessary to carry. Below is the comprehensive set of test cases, both positive and negative, to ensure the flawless functionality and reliability of OTPs in authenticating users and safeguarding sensitive information.

Further read – Test Cases for Registration Page

Positive Test Cases for OTP

• Successful OTP generation and delivery via SMS.
• Accurate validation of a correctly entered OTP.
• Seamless integration with multi-factor authentication processes.
• Time-sensitive expiration of OTPs.
• Efficient handling of concurrent OTP requests.
• Reliable OTP delivery through email.
• Appropriate response to valid OTP input in various applications.
• Successful OTP validation with minimal user latency.
• Proper functioning of OTPs across different devices.
• Error-free OTP generation for diverse user accounts.
• Smooth integration with third-party OTP authenticator apps.
• Testing OTP resend option for the same transaction action.
• Testing system response to rapid consecutive OTP requests.

Negative Test Cases for OTP

• Invalid OTP entry resulting in rejection.
• Excessive attempts leading to temporary account lockout.
• OTP verification failure for expired codes.
• Unsuccessful OTP delivery due to network issues.
• Incorrect input handling with alphanumeric OTPs.
• Testing the system’s response to delayed OTP delivery.
• Security validation for tampered or manipulated OTPs.
• Testing the system’s response to receiving duplicate OTPs.
• Handling scenarios where OTPs are not delivered or received.

How Do You Write Test Cases for OTP?

To ensure the effectiveness of One-Time Passwords (OTPs), meticulous test case creation is necessary. Crafting test cases for OTP involves a strategic approach to validate their generation, delivery, and authentication processes. Here’s the step-by-step process for writing comprehensive test cases for OTPs:

• Define scenarios like new user registration, login attempts, and sensitive transactions requiring OTP validation.
• Detail how OTPs are generated—via SMS, email, or third-party authenticator apps.
• Specify test cases for OTP delivery channels, ensuring accurate transmission through various mediums.
• Validate OTPs’ time-sensitive nature, ensuring they expire after the designated timeframe.
• Assess the system’s capability to handle multiple OTP requests simultaneously without compromising security.
• Create test cases to evaluate the system’s response to incorrect OTP entries, expired codes, and other potential errors.
• Assess the integration of OTPs with third-party authenticator apps, confirming successful validation.

Test Cases for OTP Code Verification

As mentioned earlier, OTP test cases are many and require varying efforts for execution. We list some of the popular and necessary OTP code verification tests every tester would likely encounter. You can follow the test case template of your choice to define and describe all these tests.

Check if OTP is Generated and Sent to the Correct User

• Generate OTP for a new user registration.
• Ensure the correct user receives the OTP via SMS.
• Confirm the accurate delivery of OTP to the correct email address.
• Test OTP generation and delivery for an existing user’s login.
• Check the timely delivery of OTP for a sensitive transaction.
• Validate OTP generation for users with special characters in their credentials.
• Test OTP delivery across different geographic locations.

Verify the OTP Input Field

• Confirm the existence of an input field for OTP entry.
• Check for the proper labeling and description of the OTP input field.
• Verify the input field’s responsiveness across various devices.
• Test the field’s ability to accept numeric values only.
• Check if the input field accommodates the pasting of OTP values.
• Confirm that the OTP input field supports auto-fill functionality.
• Test the field’s behavior when attempting to input more characters than required.

Verify OTP Length

• Validate that the OTP length meets the defined requirements.
• Test the system’s response to OTPs with fewer characters.
• Check for accurate validation of OTPs with additional characters.
• Confirm that the system rejects OTPs with lengths exceeding the defined limit.
• Test OTP lengths for variations, including alphanumeric characters.
• Verify the consistency of OTP length across different delivery channels.
• Test OTP length with respect to multi-factor authentication scenarios.

Verify OTP Expiration Time

• Confirm the OTP’s expiration time aligns with defined security policies.
• Test the system’s response when entering an expired OTP.
• Validate the accuracy of expiration time during high server loads.
• Test the system’s response when attempting to reuse an expired OTP.
• Confirm that the expiration time is consistent across various delivery methods.

Check if OTP is Verified Successfully

• Verify the successful validation of a correct OTP.
• Test OTP verification for various use cases, such as login and transactions.
• Confirm that OTP verification grants access to the intended user account.
• Assess the system’s response to verifying expired but valid OTPs.
• Check if the system allows multiple successful verifications for a single OTP.
• Test the accuracy of OTP verification in offline scenarios.
• Validate OTP verification for users with account recovery scenarios.
• Test the system’s behavior when verifying OTPs across multiple sessions.
• Validate OTP verification for users with multiple active sessions.
• Test OTP verification in scenarios involving concurrent login attempts.

Check if incorrect OTP is Rejected

• Confirm that entering an incorrect OTP results in rejection.
• Test the rejection of expired OTPs during verification attempts.
• Validate the rejection of OTPs with extra characters.
• Confirm that the system denies access after multiple incorrect OTP attempts.
• Test the rejection of OTPs with incorrect lengths.
• Check the system’s response when attempting to reuse a rejected OTP.
• Verify the rejection of OTPs for users with locked accounts.

Check if the User can Request Another OTP

• Test the ability to request a new OTP after a failed verification attempt.
• Check if the user can request another OTP during the initial registration process.
• Verify the system’s response when requesting multiple OTPs in a short time frame.
• Test the functionality of requesting a new OTP for different user scenarios (login, transactions, etc.).
• Confirm if requesting another OTP affects the validity of the previously sent OTP.
• Assess the system’s behavior when attempting to request multiple OTPs simultaneously.
• Validate the user’s ability to request a new OTP after a successful verification.
• Test the system’s response to frequent OTP requests from the same user.
• Check if requesting another OTP impacts the expiration time of the previous OTP.
• Verify the accuracy of OTP requests for users with account recovery situations.
• Assess the system’s behavior when requesting multiple OTPs across various devices.

Check if OTP is Sent to Multiple Devices

• Confirm the simultaneous delivery of OTPs to the user’s registered email and mobile number.
• Test OTP delivery to multiple devices associated with the same user account.
• Check if the system supports sending OTPs to both primary and secondary contact details.
• Test the consistent delivery of OTPs to multiple devices during high server loads.
• Assess the system’s behavior when a user has multiple active sessions on different devices.
• Confirm that OTPs are sent to all registered devices, ensuring comprehensive coverage.
• Check if users receive OTPs on both SMS and email channels simultaneously.
• Test OTP delivery to users with account recovery scenarios involving multiple devices.

Verify the OTP Input Field with Special Characters

• Test the input field’s ability to accept OTPs with alphanumeric characters.
• Confirm the system’s response when entering special characters in the OTP input field.
• Verify the accurate validation of OTPs with special characters during the verification process.
• Test the input field’s behavior when entering a mix of letters, numbers, and symbols.
• Assess the system’s response to entering special characters at the beginning or end of the OTP.
• Confirm that the input field does not allow spaces or invalid characters in the OTP.
• Validate the input field’s support for copy-pasting OTPs with special characters.
• Test the system’s behavior when entering special characters in the OTP field with auto-fill functionality.
• Check if the system accurately verifies OTPs with special characters from multiple devices.
• Verify the input field’s responsiveness to special characters during rapid consecutive attempts.

Check if the User Can Resend the OTP

• Confirm the user’s ability to resend the OTP during the initial registration process.
• Test the system’s response when attempting to resend an OTP after a failed verification.
• Verify the accurate delivery of the resent OTP to the user’s registered contact details.
• Check if the user can resend the OTP during a transaction or login attempt.
• Test the system’s behavior when users resend OTPs multiple times in quick succession.
• Confirm that resending the OTP invalidates the previous OTP.
• Validate the user’s ability to resend OTPs for account recovery scenarios.
• Check if the system accurately handles OTP resending requests from users with multiple active sessions.
• Verify the accurate expiration time of resent OTPs compared to the initial delivery.

Check if the OTP Input Field has a Character Limit

• Confirm the existence of a character limit for the OTP input field.
• Test the input field’s behavior when entering OTPs within the defined character limit.
• Verify the accurate validation of OTPs with the maximum allowed characters.
• Check if the system prevents entering OTPs that exceed the defined character limit.
• Validate the input field’s responsiveness when reaching the character limit during manual entry.
• Test the system’s behavior when entering OTPs with the maximum character limit using copy-paste.
• Confirm that the system handles OTPs with varying lengths up to the defined limit.
• Check the input field’s behavior when entering OTPs with the minimum allowed characters.
• Test the system’s response to entering OTPs with lengths close to the defined limit.
• Verify that the character limit is consistent across OTP delivery channels (SMS, email, etc.).
• Assess the input field’s responsiveness when users attempt to exceed the character limit using different devices.

Verify the OTP Validation Process

• Test the system’s ability to accurately validate a correct OTP.
• Confirm the verification process for OTPs received via SMS.
• Validate the verification process for OTPs delivered through email.
• Test the system’s response to verifying OTPs with special characters.
• Confirm the accurate validation of OTPs entered with spaces.
• Verify the OTP validation process for users with multiple active sessions.
• Test the system’s behavior when verifying OTPs across different devices.
• Validate the accurate verification of OTPs during high server loads.
• Check the system’s response to verifying OTPs with varying lengths.
• Test the verification process for expired but valid OTPs.
• Confirm the successful validation of OTPs during account recovery scenarios.
• Verify the system’s ability to handle concurrent verification attempts.

Check if OTP Input is Case-Insensitive

• Test the OTP input field’s response to uppercase OTP entries.
• Confirm the system’s behavior when entering OTPs in lowercase.
• Validate the case-insensitivity of the OTP input field during manual entry.
• Test the system’s response to mixed-case OTP entries (e.g., UppErCaSe).
• Confirm that the system accurately validates case-insensitive OTPs.
• Validate the case-insensitivity of OTPs received via SMS.
• Test the OTP input field’s behavior when entering case-insensitive OTPs with special characters.
• Check if the system accurately handles case-insensitive OTPs entered through copy-paste.
• Validate case-insensitive OTP verification during account recovery scenarios.
• Check if the system accurately handles case-insensitive OTPs with spaces.
• Test the case-insensitivity of OTP validation for users with multiple active sessions.

Check if OTP is Sent to the Correct Country Code

• Validate the accurate delivery of OTPs to users with different country codes.
• Confirm the system’s behavior when delivering OTPs to users with invalid country codes.
• Check if the OTP is sent to the correct country code during account recovery scenarios.
• Validate the consistent delivery of OTPs to users in different geographic locations.
• Test the system’s response to delivering OTPs with varying lengths in the country code.
• Confirm that the system accurately handles OTP delivery to users with multiple active sessions.
• Validate OTP delivery to users with spaces in their country codes.
• Test the system’s behavior when delivering OTPs with uppercase country codes.
• Check if the OTP is sent to the correct country code for users with account recovery scenarios.
• Confirm the accurate delivery of OTPs to users with varying country code formats.
• Test OTP delivery to users with country codes containing special characters.

Check if the OTP Input Field is Disabled After Successful Verification

• Test the OTP input field’s behavior after a successful verification attempt.
• Confirm that the OTP input field becomes disabled following a successful login.
• Validate the system’s response when attempting to input additional characters after successful verification.
• Check if the system prevents entering new OTPs after successful verification.
• Confirm that the OTP input field remains disabled during multiple successful verification attempts.
• Validate the system’s behavior when copying and pasting OTPs into a disabled input field.
• Test the consistent disabled state of the OTP input field across different devices.
• Confirm that the OTP input field remains disabled during account recovery scenarios.
• Validate the disabled state of the OTP input field after a successful transaction verification.
• Test the disabled state of the OTP input field after successful verification on multiple devices.
• Confirm the system’s response to the disabled OTP input field in scenarios involving concurrent login attempts.

Check if a User is Notified of OTP Resend

• Test the system’s ability to notify users of successful OTP resend requests.
• Confirm that users receive notifications for unsuccessful OTP resend attempts.
• Validate the notification of OTP resend during the initial registration process.
• Check if the system notifies users of OTP resends after failed verification attempts.
• Test the system’s response to frequent OTP resend requests from the same user.
• Confirm that users are notified when attempting to resend an expired OTP.
• Validate notifications for successful OTP resends during account recovery scenarios.
• Confirm that users receive notifications for OTP resends on both SMS and email channels.
• Test the system’s response to notifying users of unsuccessful OTP resends due to network issues.

Check if the OTP Input Field is Disabled After a Certain Number of Attempts

• Confirm that the OTP input field becomes disabled after exceeding the allowed attempts.
• Validate the system’s behavior when entering correct OTPs after disabling the input field.
• Test the disabled state of the OTP input field after reaching the defined attempt limit across different devices.
• Check if the system prevents entering new OTPs after the input field is disabled due to attempts.
• Confirm that users receive notifications when the OTP input field is disabled.
• Confirm the system’s response when attempting to input additional characters after the field is disabled.
• Validate the disabled state of the OTP input field after successful verification on multiple devices.
• Test the disabled state of the OTP input field after a certain number of unsuccessful attempts.
• Confirm that the OTP input field remains disabled during multiple successful verification attempts.
• Validate the system’s behavior when copying and pasting OTPs into a disabled input field.

Check if the User is Locked out After a Certain Number of Attempts

• Confirm that the user account is locked out after exceeding the defined attempt limit.
• Validate the system’s behavior when entering correct OTPs after the user account is locked out.
• Test the locked-out status of the user account across different devices.
• Check if the system prevents additional OTP attempts after the user is locked out.
• Confirm that users receive notifications when their account is locked out due to unsuccessful attempts.
• Validate the locked-out status of the user account during account recovery scenarios.
• Test the consistent locked-out status of the user account for users with multiple active sessions.
• Confirm that the user account remains locked out during multiple successful verification attempts.
• Validate the system’s behavior when copying and pasting OTPs into the input field after the user account is locked out.

How to Automate OTP Test Cases?

Among the multiple test cases listed above, we will pick a couple of them to automate using Testsigma. Such examples will help you understand the role of automation testing in verifying scenarios like OTP and learn how Testsigma test automation tool can help with creating and executing test cases.

Let’s look at the first scenario, where you need to check if OTP is generated and sent to the correct user. Here are the steps to follow:

• Identify and navigate to the URL to test. Here, we are considering the transaction action, which will trigger an OTP to the registered email address or phone number.
• Next, use pre-defined NLPs available in the Testsigma tool to write test cases.
• The below image shows the steps that take the user from the flight booking page of Simply Travel. First, the user selects the flight by entering the necessary details. Learn how to create test cases in Testsigma.

• Thereafter, the user fills out their information, such as first name, last name, gender, phone number, date of birth, passport number, email address, and passport expiration date.

• Then, on the pricing page, the user enters their card details to initiate the OTP send option.

• Verify that the OTP is received at the registered email address or phone number via SMS.

Another example we can look at is verifying the expiration of the received OTP. Most of the test steps are similar to testing OTP generation, but for your better understanding, here are the steps in sequence:

• Identify and navigate to the URL to test. Here, we are considering the transaction action, which will trigger an OTP to the registered email address or phone number.
• Next, use pre-defined NLPs available in the Testsigma tool to write test cases. The tests remain the same till you get to the pricing page, where you will generate the OTP during the final payment stage.
• Trigger the OTP send action by performing the necessary payment through a credit card.
• Verify that the OTP is received in the registered email address or phone number via SMS.
• Lastly, wait for the specified amount of time (usually 5-10 minutes), and then enter the OTP in the input field.
• Confirm that an error message is shown saying that OTP has expired.

Conclusion

OTPs are an essential part of any online transaction. Thus, OTP testing is an equally important and critical part of developing systems that trigger such functions. OTP test cases include a myriad of scenarios and steps that focus on covering all the aspects of one-time passwords, including their generation, expiration, time-sensitive and case-sensitive nature, and more. All of these tests are listed in this blog for your consideration.

In terms of automation, tools like Testsigma take the manual labor out of the work and ease up the work by automating all the parts of the testing process. You can save your time and effort tenfold by automating web testing along with mobile and API.

Frequently Asked Questions

Can we automate OTP testing in Selenium?

Yes, you can automate OTP testing in Selenium. Selenium can interact with web elements, including OTP input fields, and simulate user actions to validate the OTP entry and verification process. However, the automation script needs to consider the security aspects and restrictions associated with OTPs.

For a more secure and efficient approach, consider using testing tools like Testsigma, which supports OTP testing with built-in features.