In this post, we discuss test cases for OTP (one time password). In order to write the test cases for the OTP, we need to understand how the system works. The OTP system works on both email and the SMS on mobile device. Depending on where you wish to test it the test cases will be different. Let’s first discuss how the OTP works in general.
How OTP works for Authentication
Let’s assume OTP system is implemented on handycraft store online. Users purchase a product and proceeds to pay for it. And when he reaches the payment section, the system asks for the debit card or netbanking details. Once he enters that into the system the OTP is triggered. The SMS message is sent from the server to the user mobile phone. When user enters the code into the system, it is sent to the server. Once it reaches server then code is then matched with the system entry. If it matches the system allows user to mark the transaction as successful. If the code doesn’t matches then the transaction is denied.
You can check out the image below to see how the normal SMS based OTP system works. If you replace SMS with email, still the system should work in the flow displayed in the image.
Here are some of the test cases for One time password generation.
- What are the limitations of OTP generation?
- How much delay should be there for OTP message to arrive before requesting new OTP?
- How much network delay should be considered for OTP expiry?
- How long does OTP validity stays assuming addition of network delay?
- Which session requires OTP authentication?
- Does application requires OTP for login?
- Does application requires OTP for transaction?
- Is the code in OTP cases sensitive?
- Is the content of OTP numeric only?
- Does the OTP characters only?
- Does the OTP alphanumeric?
- Does the OTP accepts any other characters?
- Does the OTP expiry time matches with that of timer on the website?
- Does the OTP released on the server matches with the OTP received?
- Does the OTP with character content has all capital case letters?
- Does the OTP has mix characters in the SMS?
- Does the OTP has all the small letters?
- Does the OTP SMS content case sensitive?
- Does the OTP SMS content case matters while typing on textfield?
- Is there any documentation for the OTP SMS or message?
- Does the OTP SMS or message usable only for single session?
- Does the OTP system stands replay attacks?
- Does the OTP system requires static password system or module?
- Does the OTP system based on random number generation?
- Are the numbers in OTP predictable?
- Are the numbers in OTP pseudo-random?
These are some of the test scenarios and cases that you can try for the OTP system. Most of the OTP system these days are used in E-commerce and bank application. You may find the cases will be different based on the type of the OTP module used. If you think I have missed any test scenarios or test cases, then do let me know if the comments. I’d appreciate if you share the post on social media. 🙂