The easiest way to test these methods of authentication is to register one unique users per MFA method and to automate the login process. The user needs to enter the One Time Password (OTP) into Auth0 to complete the migration and login process Or they can choose to receive SMS text messages (provided by Twilio) They can choose to use an OTP Authenticator app (can be Guardian application provided by Auth0 or Google authenticator app)ī. The user needs to configure an MFA methodĪ. The user will receive an email which contains a verification link that they need to click on As you can see from the diagram above, there are 3 steps that need tricky user interaction to move forward with the flow. We have to provide a flow for users to migrate through the Auth0 service and register an MFA device to authenticate themselves. To support this here are the main MFA(multi-factor authentication) scenarios that we considered:Ī user should be able to login to the system using the MFA service (needs user interaction to enter a one time password)Īn existing user should be able to migrate to the MFA service (needs user interaction to verify account, register an MFA device and enter a one time password)Ī new user should be able to register with the MFA service (needs user interaction to reset the password, register a new MFA device and enter a one time password)Ī user who has multiple accounts should be able to activate single-sign on for the MFA service (needs user interaction to activate SSO)Ī user should be able to reset their password (needs user interaction to reset password)Īs some of these scenarios involve running client-specific code and configuration inside auth0, we decided to have the automated tests cover the whole user journey including the steps through Auth0 screens: Our automated tests have to impersonate these steps in order to test the whole process end-to-end.įor our use case we had to support logins by new users who would register with Auth0 from the start, but we also had to support existing users who were being migrated from the old user authentication setup to the new Auth0 based setup. Unlike the more usual automated web testing where we simulate a user clicking on links and entering data into text boxes on a web page, rather the steps we have to automate here are things like ‘scan a QR code’, ‘receive an SMS message’. The most difficult part of testing this integration was how to test the steps that the user has to perform to complete login. In this project Overloop provided the test automation for an integration with. That being said, automated testing the integration with a third party authentication service is where things can get tricky. We’ve found that by integrating a third-party authentication service with an organisation, once the initial integration work has been done, the organisation can benefit from many high-level security features without any additional development effort. Security for large organisations is paramount in today's online world, especially for systems that rely on users to remember passwords and passcodes to sign into all their products and services.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |