There is a major drift happening in the way a user or an application is authenticated. The traditional password system is a thing of the past after the introduction of biometrics. Gartner predicted up to 70 percent of organizations using biometric authentication will implement through smartphone applications by 2022.

Using biometrics create a secure environment and is raising as an intelligent alternative to the traditional password system. Inline with biometrics, authentication through QR code and OTP based in two-factor authentication (2FA) also provide robust security.

The priority of a secure system is to ensure that only authorized users have access to the system. The system needs to let legitimate users in while keeping unauthorized users out. Testing the authentication accomplishes this goal.

Testing authentication mechanisms is a straight-forward approach most of the time. With the manual approach, it is tedious to reproduce the steps and validate the authentication by matching the actual and the expected. With increased test coverage and considering the time factor, automation becomes a necessity rather than an option. Starting with automation, this is still an area worth exploring how we can simulate such scenarios and extract the details from it.

Here in this blog, we present the approaches we have taken for automating the QR code through biometric authentication and voice-over OTP. Our automation predominantly uses the following Tools and Technologies.

• API Automation (Using Rest Assured)
• UI Automation (Using Selenium)
• Mobile Automation (Using Appium and Android Debug Bridge (ADB))

Here is a scenario to login an application, where the authentication by the users can be from any channel or any device. There are also use cases to login through varied forms – QR code, OTP, 2FA (Voice). Below are the diagrammatic description of two such use cases:

QR Code Scanning: User gets a QR code in browser → QR code is scanned through mobile app → authenticate using fingerprint → user is authenticated

Voice OTP extraction: User gets a voice call and OTP is spelled out → OTP is entered in the web → User is authenticated

Both the above mentioned login use cases can be automatically tested through any of the below mentioned approaches.

Mocks / Stubs are one way of automating the process. Stubs are nothing but the ready sample piece of code (for generating the OTP, QR code), which we can plug into our test automation and validate the respective authentication APIs. This can be treated as a sort of workaround rather than proper automation, as it does not reflect the actual business flow.

Using Stubs for test automation is a great way to get started in the initial development phase, where the actual components are not integrated / not ready for testing. Stubs avoid the time dependency with the development team and enable the testers to progress with the automation.

While Stubs are useful in the beginning, but not recommended for a finished product or in a regression perspective for the following reasons:

1. Stubs are still dummy representations and do mean the actual scenario
2. The test data generated from stubs form a narrow set where there is a good chance of missing the negative/border cases
3. Updating the stub is often missed – New features / Extensions to the existing component are not implemented in the stubs
4. Failure of the test suites due to stub failures
5. Maintenance of the stubs 

An end to end test automation approach can be practiced for both the use cases and are explained in detail as below:

Use case 1: QR Code Scanning – Automation process:

Fingerprint Authentication step is handled by the login using Pin approach. This way the dependency to manually authenticate using fingerprint sensor in the device is eliminated. Rather, the mobile device settings is updated with a PIN and the login is enabled with device ID and PIN.

So after the QR code scan happens, the browser waits for the fingerprint authentication from the device. Instead of manual fingerprint authentication, we authenticate with the mobile device ID and PIN.

Use case 2: Voice OTP extraction – Automation Process:

End to end automation is achieved by

1. Installing Auto Answer and Callback App in the device
   • Install Call Recorder by magdelphi
     https://play.google.com/store/apps/details?id=mag.com.tel.autoanswer&hl=en
   • Give permission for all
   • Under menu → All calls →Select Answer checkbox and change the delay connection to 3 sec → Save
2. Installing the Call Recording App in the device
   • Install Call Recorder by Boldbeast software Inc
     https://play.google.com/store/apps/details?id=com.boldbeast.recorder&hl=en
   • Grant all permissions, Allow display over other apps, Agree to the disclaimer
   • Change the record format to wav under Call Settings
   • Enable auto record calls under Call settings
3. Call ADB (Android Debug Bridge) to transfer the recorded file (.wav file) from device SD card to current directory
4. Converting the recorded call to text (Using Google text to Speech API) (Figure 1)
5. Extracting the OTP from the text through Regex (Figure 2) & complete voice OTP method (Figure 3)

Figure 1: Google speech recognition (Speech.py)

Figure 2: OTP Extraction Using Regex

New techniques adopted in the authentication field throw a new set of challenges to automate the test. Test Automation needs to grow along with the development activity and be able to deliver a timely and reliable pulse of the build. How we go about choosing the right approach based on the timely needs, constitute a fair percentage in the overall success of test automation. As the development activity for a project evolves and gets stable over time, so is the testing activity, that also needs to change with time and embrace additional features successfully.