Investigate Stricter Admin Auth Around Phone Numbers #2087
Description
Summary
We are going to start accepting user phone numbers as a means of additional verification (to ensure users submitting testimony are both human, and only one human).
Given that, we should take extra care that phone numbers entered into our site are thoroughly protected. There are three options we should consider here:
1.) Add custom auth levels to Firebase
- This can allegedly make it so that regular admin users can't view phone numbers through the Firebase console
2.) Use a different third-party provider for SMS verification that doesn't store the phone number on our side (e.g. Twilio)
- Can we do this without storing phone numbers on the 3rd Party side? If not, is it worth it just to move the phone numbers from our Firebase project to a Twilio account (that we could maybe more tightly control access to, but may not change our legal/moral responsibility)? If they don't store the phone numbers on their side, how do we ensure we don't get repeat signups with the same phone number (AKA the point of introducing this verification in the first place)?
3.) Unlink the phone numbers after syncing with Firebase
- We would still need an actual solution for preventing repeat signups (maybe a Bloom Filter?), but would limit the window of our responsibility from "forever" to "just until the end of the verification flow"