Most software products today use email verification and multi-factor authentication (MFA) to secure user accounts. This often ends up being a specific pain point for test automation.

Signup and login are critical failure points for any web application. Because they rely on third parties or shared states, authentication flows are hard to test with automated scripts. Some third parties also block browser automation. We've heard many stories of logins and signup flow breaking silently, and nobody noticing until analytics show a drop in user engagement.

At Heal, we believe that end-to-end tests should be as close as possible to the real user experience. In other words, they should replicate what a manual QA tester would do, including verifying emails and entering OTPs.

In this article we'll look at 4 strategies to test applications that use email verification and MFA. We'll give code samples in Playwright, but the same principles apply to other testing frameworks like Cypress or Selenium.

There's actually two distinct scenarios here: do you want to find a way to test features behind email verification or MFA? Or do you want to specfically test email verification and MFA? In the former, having some kind of bypass is advisable (option 1 and 2). In the latter, finding ways to actually automate the email verification and MFA is needed (option 3 and 4).