For cases where the app sends MFA codes via email or SMS, we integrated with a fake SMTP server (like MailHog) or a mock SMS service in our test environment.
The tests fetch the latest message via API or inspect a DB entry to grab the OTP.
In my last project, we used MailHog’s HTTP API to pull the latest OTP from the email and inject it into the test.
It was super stable and let us test full login workflows with MFA included.