Significant usability issue with MFA (only 1 phone number?)

There is a significant usability issue with the now required MFA set up. I just set it up on one account (my personal account) and it only allows a code to be sent to one phone number. This makes Alpaca unusable for an institutional / fund account. With our customer accounts, we currently, at the absolute minimum, need to have the ability to have a code sent to at least one of three different phone numbers or we’re dead in the water.

Yes, there is that secret code (like 18 digits) which might be able to be used but that’s not its real purpose. Do you really want everyone logging into an account always using what is essentially a protected back door into an account?

We need to be able to populate the profile, at least the MFA part of it, with multiple phone numbers and when someone is logging in, they can choose which of the registered phone numbers to send the code to. (You don’t need the full phone number, the last four digits are sufficient for each phone number.)

My family’s personal auto and home insurance company allows this so myself or my wife can log in without one of us having to be the conduit for the sent code and then relaying the code to a spouse.

In an institutional account setting, there are multiple reasons for needing different people to be able to log in to account. The account manager, the trader, a backup trader while the prime trader is out of the office, anyone auditing an account, etc., needs access. Having one phone number just doesn’t cut it in an institutional environment. It doesn’t really even suffice in a family environment.

With the MFA requirement to start this on June 30th, this is an URGENT issue or we’re essentially dead on July 1st.

@DavidC I’ve brought this issue up internally. Thank you for highlighting your concern.

One approach, and probably more secure than SMS authentication, is to use an authenticator program instead. One can use multiple authenticator apps running on separate devices to authenticate.

Under the " Update Two-Factor Authentication" section in one’s Alpaca profile, select Authenticator -> Activate (rather than SMS Code). A pop up will display a 2D barcode. Scan that code on any devices you wish to enable for MFA. You will of course need to physically have the devices to do this, but that is part of what makes this secure. Now any of those devices can be used to authenticate.

This is actually a nice approach to backing up your MFA (and not just Alpaca). I personally have an old iPhone I don’t use anymore and set that up with Google Authenticator. At the same time I scan the 2D authentication code into my regular phone, I also scan it into my old phone. That way, if I ever loose my regular phone (or it gets damaged etc), I can dust off my backup phone and use the Authenticator app from there.

There is an article here from someone who has done something similar.

Interesting. But I don’t think that this meets our needs. What if we have multiple Alpaca accounts, which we do? What if we have the same people using their same devices but need to access more than one account, which we do? What if these individuals are in different locations with their devices, which they are? For these reasons, it doesn’t appear that an authenticator app is viable for us.

But, having an account’s profile able to have multiple phone numbers and able to send an SMS code to each of these devices at any time at any login, does resolve our issue. It even lets the same individuals get an SMS code for different accounts on their same device so they can log into any account for which their phone number is included in the account. This meets all of our needs.

You can’t really expect to have a single solution for all your customers and believe that it’ll work in 100% of these cases. But, the flexibility of an SMS code for multiple phone numbers, even though it’s a bit less secure, can meet more needs than an authenticator app.