QA/Multi-Factor Authentication for Firefox Accounts
From MozillaWiki
< QA
Overview
Purpose
The purpose of this wiki is to serve as a general test plan for verifying that Firefox Accounts support Multi-Factor Authentication
Ownership
Developer contact: [vbudhram]
QA: [sorina]
Overall Status
[LANDED for MOZILLA users]
Testing Summary
Scope of testing
The testing will be focus on
- verifying that users can enroll a TOTP device or app
- verifying that backup codes are available to store in case one MFA device is lost
- verifying that after sign-in and a TOTP enrollment active will be prompted to enter a TOTP code to complete the login flow
Environments
Testing will be performed on following:
- Android
- Windows 10
- iOS
Specifications
- The MFA settings are visible to users who specify a feature-flag in the URL
- Each backup code can only be used once
- Users with a TOTP enrollment cannot use an email confirmation loop to bypass entering the TOTP code
- Users can visit the MFA settings page to remove an existing TOTP enrollment, but only if their login session is MFA-verified
User stories
- As a user, I want to enroll a TOTP device or app
- As a user, I want to receive an email when TOTP enabled
- As a user, I want to receive an email when TOTP disabled
- As a user, I want to receive an email when new device sign-in with TOTP
- As a user, I want to receive an email when new recovery codes generated
- As a user, I want to receive an email when recovery code was used for login
- As a user, I want to receive an email informing about low recovery code
- As a user, I want to download, copy, print recovery codes
- As a user, I want to disable TOTP
Testing details
Test Cases
Testing days
Date:2018-03-12
- Created Test Plan
Date:2018-03-14
- Updated Test Plan and started to Test Cases doc
Date:2018-04-16
- Exploratory testing with Android and Windows 10
- New Issues:
- Verification email not received when log in with an account with TOTP enabled #6070
- Recovery codes.txt name #6071
- TOTP: Replace messages for download, copy, generate new recovery codes, 2FA enabled with snack-bar #6072
- TOTP: Wrong email name when disabling 2FA #6073
Date:2018-04-20
- Exploratory testing on Train 110
- New issue: #6095 - Update Enter recovery code field
Date:2018-05-04
- Ran Test cases suite and exploratory testing on stage server - Train 111
- Verified:
- #6100 fix(css): Update recovery code placeholder text, and recovery code css size
- #6095 Update Enter recovery code field
- #6073 TOTP: Wrong email name when disabling 2FA
- #6056 TOTP: Can't disable 2FA if I used a recovery code to sign in
Date:2018-05-17
- Ran Test cases suite and exploratory testing on stage server - Train 112
- Test report: https://testrail.stage.mozaws.net/index.php?/reports/view/940
- Verified issue: #2409 Notify user of low recovery codes
Bug Work
- https://github.com/mozilla/fxa-auth-db-mysql/issues/301
- https://github.com/mozilla/fxa-auth-server/issues/2295
Signoff
Criteria
- All test cases should be executed
- All blockers, criticals must be fixed and verified or have an agreed-upon timeline for being fixed