User authentication on web application is the most important business factor. Due to high security threats it is essential to prevent network sniffing and later replay. You don’t want anyone to get access of your static password and use it later. One of the most secure authentication these days is through sending OTP (One Time Password) to End Users directly. OTPs are meant to be a secret between two parties.

In this article, we will discuss scenarios to test OTP feature. Before we move ahead with the list of Test Scenarios, it is very important to understand the functioning and workflow of OTP system.

Understanding of OTP Workflow

The whole idea behind one-time password is that you can use them once and throw away. There are different types of authentications available: Hardware Tokens & On Request Tokens. These On Request Tokens can be received on Mobile Phone or through registered E-mail address. Let’s take an example of e-commerce product purchase flow for better understanding.


– User Navigates to E-commerce website.
– He adds a product to the shopping cart and check-out for the payment process.
– On Payment page, User provides Net banking or Debit/Credit Card Information.
– After submitting, System generates the OTP and send to User’s registered Mobile or E-mail Address.
– User enters the Code and if matched, system completes the transaction with success.

Now, we can apply many alternate and negative scenarios to this workflow. I have listed down all such possible scenarios. Let’s have a look.

Scenarios to Test OTP (One-Time Password)

1) OTP should be generated within time period.

2) Limitations of number of OTP generation for single authentication.

3) It is received only on registered Mobile Number / E-mail Address.

4) Network delay for expiry of One-Time Password.

5) Verify that once expired, it should not be used for any authentication.

6) Verify that once used, it should not be allowed to use again.

7) Verify that resend OTP functionality is working properly.

8) Verify that once user resent the OTP, the old one should be of no use.

9) Availability of Help and Documentation Link for OTP usage.

10) Verify for Case Sensitiveness.

11) Check for types of characters OTP supports: Only Digits, Only Alphabets, Alphanumeric.

12) How many times user can provide invalid OTP?

13) After multiple invalid try, verify that system temporarily blocks the account.

14) Verify that after temporary blocking of account, system does not send the one-time password.

15) Provide an invalid Phone Number or E-Mail address and submit the OTP. Check the validation.

16) Are the one-time password patterns are predictable?

So, these are some of the Test Scenarios for One-Time Password. Please let us know if any scenario is missing in the list. I’d appreciate if you share your experience. Don’t forget to share your feedback. Wait, are you planning to Test Login Page, Search Functionality & Payment Gateway? Click to get awesome list of Test Scenarios.


Share This Article :