In this post, we discuss test cases for OTP (one time password). In order to write the test cases for the OTP, we need to understand how the system works. The OTP system works on both email and the SMS on mobile device. Depending on where you wish to test it the test cases will be different. Let’s first discuss how the OTP works in general.
How OTP works for Authentication Let’s assume OTP system is implemented on handycraft store online. Users purchase a product and proceeds to pay for it. And when he reaches the payment section, the system asks for the debit card or netbanking details. Once he enters that into the system the OTP is triggered. The SMS message is sent from the server to the user mobile phone. When user enters the code into the system, it is sent to the server. Once it reaches server then code is then matched with the system entry. If it matches the system allows user to mark the transaction as successful. If the code doesn’t matches then the transaction is denied. You can check out the image below to see how the normal SMS based OTP system works. If you replace SMS with email, still the system should work in the flow displayed in the image.
Here are some of the test cases for One time password generation.
What are the limitations of OTP generation?
How much delay should be there for OTP message to arrive before requesting new OTP?
How much network delay should be considered for OTP expiry?
How long does OTP validity stays assuming addition of network delay?
Which session requires OTP authentication?
Does application requires OTP for login?
Does application requires OTP for transaction?
Is the code in OTP cases sensitive?
Is the content of OTP numeric only?
Does the OTP characters only?
Does the OTP alphanumeric?
Does the OTP accepts any other characters?
Does the OTP expiry time matches with that of timer on the website?
Does the OTP released on the server matches with the OTP received?
Does the OTP with character content has all capital case letters?
Does the OTP has mix characters in the SMS?
Does the OTP has all the small letters?
Does the OTP SMS content case sensitive?
Does the OTP SMS content case matters while typing on textfield?
Is there any documentation for the OTP SMS or message?
Does the OTP SMS or message usable only for single session?
Does the OTP system stands replay attacks?
Does the OTP system requires static password system or module?
Does the OTP system based on random number generation?