Hello there HN!<p>I just wanted to share with you a product I've been working on for a while. The product is called GetMyMfa and is accessible at https://get.mymfa.io. The objective of this project is to allow organizations to safely and easily share Multi-Factor Authentication codes for their Quality Assurance and Apple App Store review processes.<p>*Where the idea came from:*<p>I am currently working with multiple customers in the FSI domain (Financial Services Industry) and I am often required to perform tests in production and staging environments with multiple accounts. As production and staging accounts, these accounts are generally required to have at least an SMS 2FA system in place. When performing tests in such sensitive accounts, a single individual usually owns all phone numbers linked to these accounts and shares received MFA codes via a phone call with the various people performing tests in these accounts. I believe this represents a security concern and a bypass of the Multi-Factor Authentication principles.<p>In addition, when submitting iOS applications to the App Store, Apple performs a human review process in which they need to login to the application. When MFA is enforced for all production accounts, Apple rejects the application unless a way is implemented to allow them to login. This often leaves developers with two options: Develop a front-end only demonstration mode, or bypass the MFA mechanism for a specific account.<p>*Therefore, the project aims to:*<p>1. Allow organizations to rent virtual phone numbers and have their SMS MFA codes be displayed in a private web interface;
2. Organizations have fine-grained access control allowing them to control who can access their virtual phone numbers MFA Codes;
3. Access granting to virtual phone numbers can be time-based.<p>*On the security perspective, I aim to allow businesses to:*<p>1. Avoid spending time in building a security login "bypass" (and all the security issues that often come with it);
2. Avoid building a "demonstration" mode exclusively for Apple on their mobile applications;
3. Avoid using public websites with public phone numbers accessible to anyone.<p>What do you think? Would you use such product for your business in order to safely manage SMS Multi-Factor-Authentication sharing in production accounts? I would love hearing your feedback on the pros and cons you see about this product.<p>All the best
I like this idea. At work, we’ve kicked around the need for a better way to share codes when SMS is the only option.<p>I honestly would prefer 1Password to implement this so we wouldn’t have to use a separate service, though. Having it integrated with the login, using their share tools, would be better and we trust their privacy and security guarantees more because of everything they’ve published and their track record.<p>For production data, I think we might still prefer a well managed and tested bypass…but I’d have to think about it.<p>That said, again, this looks like a good stab at the problem and will be coming up next time we’re dealing with this.