What is 2FA?
2FA is two-factor authentication and means you are using two of the three standard authentication methods (a password or similar, an authentication token or app, a fingerprint/face or other biometric factor) This provides a more secure access to your account.
Amongst others, Google and Microsoft provide authentication apps to enable 2FA access to their user’s accounts.
You link your user account to an authenticator app and it then provides a way of logging into your account usually without a password and often using a code or on-screen tap of an Approve button, or similar method.
Implementing Authentication Apps
An app or website provider will need to update the way their product handles the login and authentication process, in order to add the option of 2FA via Authentication Apps.
Adding the use of Authentication Apps to an existing app or website is often quite a significant undertaking as it can add a whole extra layer of possible use cases, interactions, outcomes and possible issues.
Testing Authentication Apps
Testing has to include the new workflow – setting up and using the Authentication App to access user accounts – as well as all the existing workflows that may be in use – such as logging in with an email and password, using a social login such as Facebook and any other login methods.
Testing has to establish that the new and existing workflows are correctly implemented so that users can access their accounts via whichever method they want to use.
In addition to this basic functional testing, there are many possible use cases and user scenarios which have to be considered and possibly included in the testing. Some of these are:-
- what happens if user sets up their current smartphone with the authentication app but then buys a new phone and wants to use that new phone instead?
- what if the user no longer wants to use an authentication app and wants to return to their old way of accessing their account?
- what if user wants to use two or more different devices to access their account?
- what if the user’s device is stolen or mislaid?
Also, error testing would have to be factored into the above, to ensure that any errors in the different workflows are handled properly.