Email Verification

Authentication

The process of verifying who a caller is. Common schemes: API key, Bearer token, OAuth 2.0, mutual TLS. Distinct from authorisation, which decides what they're allowed to do.

Token

A portable credential — typically a signed string — that a server issues and a client presents on subsequent requests to prove identity or authorisation. Tokens are stateless alternatives to server-side sessions; the server can verify them without a database lookup. Common forms: opaque bearer tokens (random strings referenced in a database), JWTs (self-contained with claims and a signature), and OAuth access tokens (short-lived grants scoped to specific resources). Key testing considerations: token expiry, revocation, scope enforcement, and transmission security (HTTPS-only, no logging).

Password Reset

The flow that lets a user regain access when their credentials are lost or compromised. Typically involves verifying identity through a registered email or phone (a reset link or OTP), then allowing the user to set a new password. Security test cases include: token expiry (links should expire quickly), token single-use enforcement (used tokens must be invalidated), account enumeration (the response should not reveal whether an email is registered), brute-force protection on OTP entry, and ensuring reset tokens cannot be reused across accounts.

Multi-Factor Authentication (MFA)

An authentication mechanism that requires at least two independent verification factors: something you know (password), something you have (TOTP app, hardware key), or something you are (biometric). MFA dramatically reduces the risk of credential-stuffing and phishing attacks. QA considerations include: testing fallback flows when a second factor is unavailable, recovery code handling, bypass scenarios via account recovery that skips MFA, and verifying MFA is checked on every protected action — not just at initial login.