Testing OTP (One Time Password)

Applicable for ONLY single session

Replay attacks?

Static Password?





Expiry Time if OTP not used?

Help & Documentation for OTP usage

Delay in receiving OTP?

OTP Generation Limit?

Expiry of older OTPs?

Usage of OTP for the particular session?


Characters used?

 Only digits?

 Only alphabets?



Analyze POST data for OTP key generation

Type of case?

 Capital letters?

 Mix of capital and small letters

 Small letters

 Case doesn't matter

 Camel Case?