Good question. I’d expand on this and ask a bonus question of, how do you write tests for your 2fa implementation code? Same thing for third party auth (sign in via GitHub/Google, etc); you can’t spam them every time you run your test suite, but is mocking responses from them really a wise move when testing authentication?