Multi-Factor Authentication (MFA)
// Definition
An authentication mechanism that requires at least two independent verification factors: something you know (password), something you have (TOTP app, hardware key), or something you are (biometric). MFA dramatically reduces the risk of credential-stuffing and phishing attacks. QA considerations include: testing fallback flows when a second factor is unavailable, recovery code handling, bypass scenarios via account recovery that skips MFA, and verifying MFA is checked on every protected action — not just at initial login.
// Related terms
Authentication
The process of verifying who a caller is. Common schemes: API key, Bearer token, OAuth 2.0, mutual TLS. Distinct from authorisation, which decides what they're allowed to do.
Password Reset
The flow that lets a user regain access when their credentials are lost or compromised. Typically involves verifying identity through a registered email or phone (a reset link or OTP), then allowing the user to set a new password. Security test cases include: token expiry (links should expire quickly), token single-use enforcement (used tokens must be invalidated), account enumeration (the response should not reveal whether an email is registered), brute-force protection on OTP entry, and ensuring reset tokens cannot be reused across accounts.
Email Verification
The process of confirming that a user controls the email address they registered with, typically by sending a one-time link or code that must be clicked or entered before account features are unlocked. Security test cases include: link expiry (unclicked links should expire quickly), single-use enforcement (links must be invalidated after first use), account enumeration through timing differences, and whether unverified accounts can access protected resources. Re-verification flows when a user changes their email address are also in scope.