While MFA is essential for security, it often complicates the testing process.
Do you disable it in your development environment, or have you found smart ways to handle MFA testing, like managing SMS, email, or TOTP codes during automation?
I’m looking for practical tools, strategies, or workarounds that let you test securely without making the process painful.
What’s worked best for you?
In my team, we use a feature flag or environment-based switch to completely bypass MFA for automated testing.
For example, in development or CI, if the flag is set, the backend just short-circuits the MFA check. This allows the test to simulate the login flow without actually triggering TOTP/SMS/email.
Of course, this is only enabled in staging or test environments, never in production.
It keeps tests fast and reliable without compromising security where it matters.
We had a case where we needed to test MFA itself (e.g., verifying the TOTP flow).
What worked well was assigning a static TOTP secret to our test users and using a Node library like otplib to generate the current token during tests.
import { authenticator } from 'otplib';
const token = authenticator.generate('YOUR_STATIC_SECRET');
cy.get('input[name="mfa"]').type(token);
This lets us test the full TOTP validation logic during end-to-end tests without relying on real-time SMS or email.
For cases where the app sends MFA codes via email or SMS, we integrated with a fake SMTP server (like MailHog) or a mock SMS service in our test environment.
The tests fetch the latest message via API or inspect a DB entry to grab the OTP.
In my last project, we used MailHog’s HTTP API to pull the latest OTP from the email and inject it into the test.
It was super stable and let us test full login workflows with MFA included.