What is the best way to test Multi-Factor Authentication using Cypress?

Question

The application I am testing is sending out a OTP if the user has MFA enabled. I am required to create an E2E test for that functionality. What tool can I use where I can read the incoming messages inside my cypress tests and enter the OTP while logging in?

I know there's a paid service Mailosaur which allows this but I am looking for cheap/free solutions.

Answer 1

If you add otplib to your project, you can side-step email packages altogether.

otplib is a JavaScript One Time Password (OTP) library for OTP generation and verification.

It implements both HOTP - RFC 4226 and TOTP - RFC 6238, and are tested against the test vectors provided in their respective RFC specifications. These datasets can be found in the tests/data folder.

• RFC 4226 Dataset
• RFC 6238 Dataset

This library is also compatible with Google Authenticator, and includes additional methods to allow you to work with Google Authenticator.

Add a task to cypress.config.js, then call cy.task('getOTPToken', secret) and use the returned token in your app (instead of the emailed token).

const { defineConfig } = require('cypress');
const otplib = require('otplib');

module.exports = defineConfig({
  e2e: {
    setupNodeEvents(on, config) {
      on('task', {
        getOTPToken(secret) {
          return otplib.authenticator.generate(secret);
        }
      })
    },
  },
})

Answer 2

Replying a little bit late as the solution we actively use doesn't appear to be listed.

We have had similar issues with this topic (although our Multi-Factor Authentication System was SMS based).

As we didn't want to bypass our production security mechanisms or re-develop a demonstration mode, we have used a platform allowing to assign temporary virtual phone numbers to users in our apps. The platform is called GetMyMFA and it allows us to review and approve our app within 24 hours.

To use it we simply created a user in our production application with a virtual phone number attached which we can enable and disable in real time for the App Store review process. That way Apple simply needs to log in to the platform (with a specific and private username/password) and the SMS MFA login code is displayed in the website.

The objectives of building this platform have been:

• Avoid spending time in a security "bypass" (and all the security issues that often come with it)
• Avoid building a "demonstration" mode exclusively for Apple
• Avoid using public websites with public phone numbers accessible to anyone.

Our App gets approved within 24h with this system and the user can be easily and safely disabled.