I am getting in touch with you in order to retrieve some feedback on the security aspect of a project that I have released. The objective of this question is to challenge the concept of the project and eventually retrieve constructive improvement tips you might see appropriate. The project is named GetMyMfa.io (https://get.mymfa.io) and it aims to provide Just-In-Time and nominative access to virtual phone numbers SMS MFA codes for testing and approval processes for organizations.
Where the idea came from:<p>I am currently working with multiple customers in the FSI domain (Financial Services Industry) and I am often required to perform tests in production environments with multiple accounts with different attributes. As production accounts, these accounts are generally required to have at least an SMS 2FA system in place. When performing tests in such sensitive accounts, a single individual usually owns all phone numbers linked to these accounts and shares received MFA codes via a phone call with the various people performing tests in these accounts. I believe this represents a security concern and a bypass of the Multi-Factor Authentication principles.<p>In addition, when submitting iOS applications to the App Store, Apple performs a human review process in which they need to login to the application. When MFA is enforced for all production accounts, Apple rejects the application unless a way is implemented to allow them to login. This often leaves developers with two options: Develop a front-end only demonstration mode, or bypass the MFA mechanism for a specific account.<p>Therefore, the project aims to:<p>Allow organizations to rent virtual phone numbers and have their SMS MFA codes be displayed in a private web interface; Organizations have a fine-grained access control system that allows them to control who can access their virtual phone numbers MFA Codes; Access granting can be time-based.<p>With this project, I aim to help businesses to:<p>Avoid spending time in building a security login "bypass" (and all the security issues that often come with it); Avoid building a "demonstration" mode exclusively for Apple on their mobile applications; Avoid using public websites with public phone numbers accessible to anyone. What do you think? Would you use such product for your business in order to safely manage SMS Multi-Factor-Authentication sharing in production accounts? If not, what would be your recomendations?<p>Thank you very much in advance!