We had a case where we needed to test MFA itself (e.g., verifying the TOTP flow).
What worked well was assigning a static TOTP secret to our test users and using a Node library like otplib to generate the current token during tests.
import { authenticator } from 'otplib';
const token = authenticator.generate('YOUR_STATIC_SECRET');
cy.get('input[name="mfa"]').type(token);
This lets us test the full TOTP validation logic during end-to-end tests without relying on real-time SMS or email.