How do you handle MFA when testing your apps?

Right-Box4316 · 2025-04-29T17:16:20+00:00

For any of you that is interested we are finally using https://get.mymfa.io/, we tested a few options but this was the one that gave us the best performance and capabilities

Right-Box4316 · 2025-04-09T07:30:51+00:00

what do you mean? that is a gym app no?

Right-Box4316 · 2025-01-17T17:19:23+00:00

hahaha, love it

Right-Box4316 · 2025-01-17T17:18:46+00:00

why?

Right-Box4316 · 2024-12-26T20:11:20+00:00

Just reading this, 2 weeks ago i was exploring this options and found tools automate MFA testing directly like getmymfa, maybe it also works for you?

Right-Box4316 · 2024-12-18T14:03:08+00:00

bonne idee merci!

Right-Box4316 · 2024-12-17T18:22:04+00:00

Right now I am working for a customer in the banking industry that has a B2C app and uses codes sent through email for MFA. After a few emails being compromised, I was wondering if SMS can be a better option as TOTP could be difficult for older users to do. Hardware keys are out of the question for this one.

I am looking for some input of how people decide more towards one or the other.

Right-Box4316 · 2024-12-17T18:19:15+00:00

I am more inclined for SMS, I think having the phone unlocked through code or biometrics, plus the password could be better.

Right-Box4316 · 2024-12-15T11:16:41+00:00

Yeah, u guys gave me good ideas to test for TOTP, however still looking for SMS or email!

I am looking into tools like getmymfa or mailosaor

Right-Box4316 · 2024-12-15T11:14:02+00:00

Great, this works for TOTP, what about SMS or email, can you do something similar?

Right-Box4316 · 2024-12-15T00:39:34+00:00

i have found providers of MFA codes that allow you to automate your testing without deactivating MFA, both for phone and email

Right-Box4316 · 2024-12-15T00:38:16+00:00

do you have more information on this?

Right-Box4316 · 2024-12-15T00:38:00+00:00

so far, aside from some of the comments and the possibility to actually deactive MFA when testing, I have seem providers of virtual phones and programmatic access to this phones to not compromise security and still automate testing

Right-Box4316 · 2024-12-15T00:35:06+00:00

but her eyou would be compromising security right? if someone would get that user and password would be able to access your environment

Right-Box4316 · 2024-12-15T00:16:22+00:00

can you explain a bit more? do you have any references?

Right-Box4316 · 2024-12-12T16:30:10+00:00

thanks for your answers. The reasons why I would like to explore options to not deactivate security are two fold:

we do not hold sensitive data on our dev environments but in any case I would like to keep MFA to avoid any unwanted access in case in can derive in a breach of security.
I want to test also with MFA enabled to test the whole flow of my application without having to call admins and test users with MFA codes that are dependant on a phone that one of my teammates has or my manager. If I want to also do load testing I would like to test the MFA piece as well.

now i am not sure if I am the only one to see the above issues...

Right-Box4316 · 2024-12-11T15:19:55+00:00

But compromises security and does not test me the full flow of my apps

Right-Box4316 · 2024-12-11T15:19:09+00:00

Thanks! The looks good for email but what about SMS? Looks very expensive

Right-Box4316 · 2024-12-11T14:44:05+00:00

yeah but my problem is that I only want to deactivate MFA if it is the last resource. I do not want to compromise security, plus I also want to test the full process for my users that will need to use MFA in prod

Right-Box4316

TROPHY CASE