How to Test Two-Factor Authentication: A Guide with Use Cases
By Kalpalatha Devi, Community Contributor - October 19, 2022
With the growing importance of data, there has been a rise in cybersecurity threats and data breaches globally. Information security is the top-most factor for any individual or group amidst the increasing risk of a data breach. Cybercrime has become a challenging factor for software users and developers in today’s fast-paced world. Since most data breaches are financially motivated, it is important to secure user data.
Initially, single authentication factors (SFA) alone help to secure data.
But due to the high rise in cybercrimes, multi-factor authentication must be essential. Let us explore Two Factor Authentication (2FA).
What is 2FA?
Authentication is the process of proving that something given is valid. In simple terms, it is the identification of any individual for access to a website or a virtual private network. To login into a website, the user will have a username and a password as authentication.
Two-factor authentication provides an additional layer of protection, users need to enter details like PIN, answer security questions, OTP or biometrics in addition to the login credentials.
Once the 2FA is enabled for the user account, after entering the username and password, a security code needs to be provided by the user, which will be sent to their registered mobile number or Email address.
Types of Authentication
There are three types of authentication factors:
- Something you know (Password or Personal identification number (PIN), this is based on the user’s knowledge)
- Something you have (OTP from a mobile SMS or Cryptographic identification number token – this is based on the user’s possession)
- Something you are (Biometrics – fingerprints, face recognition, voice recognition, this is inherence).
Use Cases of 2FA
Let’s explore various use cases where 2FA can be enabled and tested.
- User account creation
- User account recovery
- Monetary transactions
- Network security
- Unknown device or location
User Account Creation
Digitalization has led to the creation of user accounts for authorization of new users to perform various activities, from shopping to entertainment, reading, networking, etc., online. Users will have credentials like username and password, but this alone will not fulfill the security aspect since there is always a threat of data breach, which can possibly lead to hacking of the online user account. So to add another layer of authentication and security, users can enable 2FA for their accounts.
It is common for users to forget their passwords. Whenever a user has forgotten their password, their account can be recovered by using the additional recovery option enabled by the user, such as OTP (2FA), in addition to some user-given inputs such as security questions, alternative email, etc., when they select the Forgot Password option.
With the growing digitalization of the banking sector, a large number of users make financial transactions via internet banking or mobile banking apps. For every transaction, the user has to enter OTP sent on the registered mobile number and email in addition to the credentials required to make the transaction successfully and safely.
For a shared network, security often becomes vulnerable, as it can be easily compromised. Hence 2FA is used as an additional layer of security in the form of OTP generated by the RSA security token, along with the user credentials that can be used together to access a secured network. The idea is that two unrelated authentications are given to the user and the resource that the user is accessing to provide security.
Login Access from an unknown location or device
Sometimes if a user’s account is logged in some other location or from another device, they will get a security alert via email. This could be a potential hacking attack. However, when there is additional security added to the account, such compromised access can be avoided. Hence, 2FA is enabled for the user account to safeguard it from such an incident.
To understand how 2FA works for user account creation, here’s an example of login into the LinkedIn account.
Step 1 On the sign-in page, once the user has entered their user id and password details.
Step 2 A security code will be asked if 2FA is enabled for the user.
If the 2FA is not enabled, here’s how you can enable it.
These use cases of 2FA have to be tested beforehand to ensure that they work as expected. However, to test 2FA, a QA has to test it under real user conditions. Otherwise, the test might not give accurate results. Testing on real devices and browsers is the only ideal way to ensure the seamless functioning of 2FA for a given application. However, building such an infrastructure would be very costly and would require regular maintenance. Hence, it brings the question of build vs buy, wherein the QAs can either build an in-house device lab or buy a subscription to rent a real device cloud. Buying would be cheaper, and the subscription could be chosen on-demand based on the testing requirement.
Using a real device cloud infrastructure like BrowserStack would enable QAs to test their 2FA functionality for both Web and Mobile apps using BrowserStack Live and BrowserStack App Live, respectively. It allows access to 3000+ real device and browser combinations to test on, hence giving maximum test coverage. You can run test cases on different browser-device combinations with parallel testing for a faster test cycle. While the test results can be easily shared with the team using Slack, Jira, and Trello Integrations for better debugging to deliver a seamless end-user experience.