I am a CTO and iOS app developer implementing Two-Factor Authentication (2FA) in our application. Our app now requires 2FA for all user accounts. We need guidance on how to provide test access to the App Store Review team.
Since the login factors are
- device binding and
- Biometrics or password,
a tester from your review team will never be able to fulfill the device binding requirement since the account has not been setup on their device.
We cannot disable 2FA for some test accounts, as suggested in other forum posts, as this would introduce a major security risk for our application.
What is the reccomended approach here? What information should we include in the "App Review Information" section to help reviewers access our app?