π 2FA Security Test Cases & Explanations
1οΈβ£ Check Weak OTPs (000000 - 123456)
- π Try common predictable OTPs like
000000, 123456, 111111.
- β If accepted, itβs a weak implementation.
- β
Should reject these unless correct.
2οΈβ£ Check null or Empty OTP
- π§ͺ Send an empty or
null OTP in the API.
- π₯ Some systems mishandle nulls and skip validation.
- β
Should return an error, not allow access.
3οΈβ£ Reuse Previous OTP π
- β οΈ OTP should be one-time only.
- π Try resending a previously used valid OTP.
- β If login succeeds again β vulnerability!
4οΈβ£ Reuse OTP from Another Account π₯
- π OTP must be tied to a specific user.
- π§ͺ Use OTP from Account A to log into Account B.
- β If it works, the system doesnβt bind OTPs correctly.