Why I Stopped Mocking 2FA in Tests (And What I Do Instead)

I mocked OTP verification for two years. Then a bug hit production that my test suite should have caught. Here's what went wrong and how I fixed the approach. I'll start with the bug that changed my mind. Last summer, we pushed a release that broke the phone number change flow in our app. A user would enter their new number, receive an OTP, type it in — and get a 400 error. The code was correct in every way except one: someone refactored the verification endpoint and accidentally changed the OTP field name from otp_code to verification_code in the request body. The frontend still sent otp_code. The backend no longer recognized it. Our test suite had 100% coverage on this flow. Every test passed. Green across the board. Why? Because we were mocking the entire OTP layer. The Mock That Lies Here's roughly what our test setup looked like: # conftest.py — the old way @pytest.fixture def mock_otp(monkeypatch): """Skip OTP verification entirely in tests.""" monkeypatch.setenv("SKIP_OTP_VERIFI