6.

TESTING,VALIDATION
AND RESULTS
INTRODUCTION :

A one-time password (OTP) is an for only one login session or transaction, on a

automatically generated numeric or computer system or other digital device. OTPs
alphanumeric string of characters that avoid a number of shortcomings that are
authenticates a user for a single transaction associated with traditional (static) password
or login session. An OTP is more secure based authentication; a number of
than a static password, especially a user- implementations also incorporate two factor
created password, which can be weak and/or authentication by ensuring that the one-time
reused across multiple accounts. OTPs may password requires access to something a
person has (such as a small key ring fob device
replace authentication login information or
with the OTP calculator built into it, or a
may be used in addition to it to add another
smartcard or specific cell phone) as well as
layer of security. OTP security tokens are
something a person knows (such as a PIN). A
microprocessor-based smart cards or pocket-
major advantage is that a user who uses the
size key fobs that produce a numeric or
same (or similar) password for multiple systems,
alphanumeric code to authenticate access to
is not made vulnerable on all of them, if the
the system or transaction. This secret code
password for one of these is gained by an
changes every 30 or 60 seconds, depending
attacker. A number of OTP systems also aim to
on how the token is configured. Mobile
ensure that a session cannot easily be
device apps, such as Google Authenticator,
intercepted or impersonated without
rely on the token device and PIN to generate knowledge of unpredictable data created during
the one-time password for two-step theprevious session, thus reducing the attack
verification. OTP security tokens can be surface further. OTPs have been discussed as a
implemented using hardware, software or on possible replacement for, as well as enhancer
demand. Unlike traditional passwords that to, traditional passwords. On the downside,
remain static or expire every 30 to 60 days, OTPs are difficult for human beings to
the one-time password is used for one memorize. Therefore, they require addition
transaction or login session. government and
corporate organizations, airports, railway TESTING AND VALIDATION
stations and banks. Auto-identification means METHODOLOGY
automatic identification of entities. We have
1. SMS-based: In this method, every time
various methods for auto-identification. Some
the user logs in, they receive a text message
of them are barcode systems, optical character
recognition, biometrics, smart cards and RFIDs.
to their registered phone number, which
Nowadays OTP technology is widely used for contains a One Time Password.
online banking, online shopping, verifying a 2. TOTP-based: In this method, while
person while making mail accounts, etc. A one-
enabling 2-factor authentication, the user is
time password (OTP) is a password that is valid
asked to scan a QR image using a specific HMAC hash (using SHA-1 hashing
smartphone application. That application algorithm) by secretKey and counter
then continuously generates the One Time hmacHash = HMAC-SHA-1(secretKey,
Password for the user. The working of SMS counter); 2. In this code, the output would be
based OTPs is known to all so we have to a 20 byte long string. That long string is not
know about the TOTP based method. suitable as a one time password. So we need
Working of TOTP-based method By using a way to truncate that string. HOTP defines
the TOTP method, we are creating a one a way to truncate that string to our desired
time password on the user side (instead of length. // hmacHash[19] means 19th byte of
server side) through a smartphone the string.offset = hmacHash[19] & 0xf;
application. This means that users always truncatedHash = (hmacHash[offset++] &
have access to their one time password. So it 0x7f) << 24 | (hmacHash[offset++] & 0xff)
prevents the server from sending a text << 16 | (hmacHash[offset++] & 0xff) << 8 |
message every time user tries to login. Also, (hmacHashh[offset++] & 0xff); finalOTP =
the generated password changes after a (truncatedHash % (10 ^
certain time interval, so it behaves like a one numberOfDigitsRequiredInOTP)); It might
time password.. The following could be a look scary, but it is not. In this algorithm, we
way to implement this solution: When the first obtain offset which is the last 4 bits of
user enables two factor authentication: 1. hmacHash[19]. After that, we concatenate
Backend server creates a secret key for that the bytes from hmacHash[offset] to
particular user. 2. Server then shares that hmacHash[offset+3] and store the last 31
secret key with the user’s phone application. bits to truncatedHash. Finally, using a
3. Phone application initializes a counter. 4. simple modulo operation, we obtain the one
Phone application generate a one time time password that’s a reasonable length.
password using that secret key and counter. This pretty much defines the HOTP
5. Phone application changes the counter algorithm. The RFA4226 doc explains why
after a certain interval and regenerates the this is the most secure way to obtain a one
one time password making it dynamic. But time password from these two values.
to address problems like generation of a one
time password using a secret key and DESIGN AND TEST CASES
counter, counter update, keeping track of the SENARIORS
counter etc. These all can be addressed using
1. Functional Requirements:
HOTP algorithm. HOTP: HOTP stands for
“HMAC-Based One-Time Password”. This OTP Generation: Utilize a secure
algorithm was published as RFC4226 by the algorithm to generate a 6-digit OTP.
Internet Engineering Task Force (IETF).
HOTP defines an algorithm to create a one Email Integration: Use SMTP to send
time password from a secret key and a 31 OTPs securely to users' registered email
counter. You can use this algorithm in two addresses.
steps: 1. The first step is to create an HMAC
hash from a secret key and counter. // Obtain
User Interface: Design a user-friendly Validation: Verify OTP is received
interface for OTP entry and verification. correctly by the user.

Error Handling: Implement robust error OTP Verification Process:

handling for invalid OTP entries and
delivery failures. Action: User enters the received OTP into
the system.
2. Non-Functional Requirements:
Expected Behavior: System validates the
Security: Encrypt OTPs during transmission OTP entered by the user.
and storage to prevent unauthorized access.
Validation: Confirm OTP validation status
Performance: Ensure the system can handle (success or failure).
multiple OTP requests simultaneously
without latency issues. Error Handling:

Scalability: Design the system to scale Action: User enters an incorrect OTP
efficiently with increasing user base and multiple times.
OTP requests.
Expected Behavior: System displays
3. Components: appropriate error messages and limits the
number of attempts.
OTP Generator Module: Responsible for
generating unique OTPs. Validation: Check if the system locks the
account after reaching the maximum number
Email Sender Module: Integrates with of attempts.
SMTP to send OTPs to users.
Security and Encryption:
User Interface Module: Provides a user-
friendly interface for OTP entry and Action: Monitor OTP transmission.
verification.
Expected Behavior: OTPs are encrypted
Database (optional): Stores OTPs and user during transmission and are not exposed to
information securely. potential attackers.

Test Scenario for OTP Verification Validation: Ensure OTPs cannot be

System: intercepted or decoded during transit.

User Registration and OTP Request: Performance and Scalability:

Action: User registers with their email Action: Simulate multiple users requesting
address. OTPs simultaneously.

Expected Behavior: System generates and Expected Behavior: System handles

sends an OTP to the registered email concurrent OTP requests efficiently without
address. significant delay.
Validation: Measure response times and Validation Criteria:
system performance under varying loads.
OTPs should be sent promptly upon request.
Testing Approach:
Verify OTP delivery to the correct email
Unit Testing: Test each module (OTP address.
generator, email sender, UI) independently
to verify functionality and integration. Use secure protocols (e.g., SMTP with TLS)
to protect OTPs during transmission.
Integration Testing: Validate interactions
between modules (e.g., OTP generation OTP Entry and Verification:
triggering email sending).
Objective: Ensure users can enter OTPs
System Testing: Conduct end-to-end tests correctly and verify them for authentication.
to simulate user interactions and verify
overall system behavior. Validation Criteria:

Security Testing: Perform penetration User interface should clearly prompt users to
testing to identify vulnerabilities in OTP enter the OTP received via email.
generation, transmission, and storage.
Validate that the system correctly verifies
Performance Testing: Measure response the OTP entered by the user against the
times and scalability under load to ensure expected OTP.
the system meets performance requirements.
Implement error handling for incorrect OTP
VALIDATION entries and expiration of OTP validity.

OTP Generation Validation: Error Handling Validation:

Objective: Ensure OTPs are generated Objective: Verify the system's response to
correctly and securely. errors during OTP generation, delivery, and
verification.
Validation Criteria:
Validation Criteria:
OTPs should be of the correct length
(typically 6 digits). Test scenarios where OTP generation fails
due to system issues or lack of resources.
OTPs should be unique for each request.
Simulate network issues or SMTP server
Use cryptographic algorithms to ensure OTP unavailability during OTP delivery.
randomness and unpredictability.
Validate how the system handles incorrect
Email Delivery Validation: OTP entries and reaches the maximum
attempt limit.
Objective: Confirm OTPs are sent securely
to users' registered email addresses. Security Validation:
Objective: Ensure OTPs and user data are Document data handling practices and
secure throughout the authentication ensure transparency in user consent and data
process. access.

Validation Criteria:

Implement encryption for OTPs during

transmission (e.g., using TLS for SMTP).

Validate secure storage practices if OTPs

need to be stored temporarily (e.g., hashing
and salting for storage).

Perform security audits and penetration

testing to identify and mitigate
vulnerabilities.

Performance Validation:

Objective: Assess the system's performance

under normal and peak loads.

Validation Criteria:

Measure response times for OTP generation,

email delivery, and OTP verification.

Test system scalability by simulating

multiple concurrent users requesting OTPs.

Monitor resource usage (CPU, memory)

during peak loads to ensure scalability.

Compliance and Regulation Validation:

Objective: Ensure the OTP verification

system complies with relevant data
protection regulations (e.g., GDPR).

Validation Criteria:

Verify that user data handling aligns with

regulatory requirements for data security and
privacy.