I'm using a Firebase phone auth as primary authentication. Since the phone is vulnerable, I want to link an email address to it that the user can use to access his account to change his phone number in case he lost his phone or got stolen. I can't find a way how to do it.
I saw a method currentUser.linkWithPhoneNumber(). However, reading its documentation, it says it is only supported on web platforms. Is there any other way to make this possible?
When you authenticate a user with a phone number, the only data that you have inside the FirebaseUser object when the authentication completes, are the UID and the phone number. If you need to add an email address to an existing account, you can request the user to provide an email address. Once you have that, you can update the email address using the FirebaseUser#updateEmail(String email) function. As soon as the account is updated, you can add any functionality related to that email address.
Since you didn't specify a programming language, I linked that function to the Android docs, but certainly, you can do the same thing in the case of any other programming languages.
upon further reading, i found Email Link Authentication that answered everything i've asked.
Linking/re-authentication with email link You can also link this method of authentication to an existing user. For example a user previously authenticated with another provider, such as a phone number, can add this method of sign-in to their existing account.
https://firebase.google.com/docs/auth/flutter/email-link-auth
Related
In a Firebase project, I have activated multiple sign-in methods (e-mail, Google, and Microsoft), which all work fine. I also have it activated to only allow one account per e-mail address.
The problem arises when a user successfully signs in via Google or Microsoft, then signs out and then signs in via e-mail, using the same e-mail address as before using Google or Microsoft. Then his account type changes to e-Mail and it seems like a no way back.
Is there a way to change user account types from e-mail back to Microsoft or Google?
Your code must have different functions written for different signin's. When the user first logs in, store his login method on firestore. You can get this from the signin function triggered or simply by the button user clicked. Then during each login add a check that if user exists and user's current signin method is not the same as the one stored on firestore, notify the user to use the correct one.
Or you can let the user signin using whatever they please but ultimately in your code, the function which is triggered will tell you the current signin method and you'd have the first/previous method stored. So you can do stuff accordingly.
What you are writing in question seams not how it works. When you sign in using Google provider your email is verified automatly and if you try to sign in using same email authentication will throw error that account with that email allredy exists.
If you created first account using email and password and didn't verify your email addres then if you sign in using google provider with same email address in it, email and password provider will gone because of was not verified and you wont be able to login using email end password unless you will setup a new password for this email.
If email was verified and you sign in using google provider with same email address. This provider will be added to providers array and you will be able to login using email and password and google provider.
To add multiple providers to your accaunt you can use linkWithPopup() function. If you created accound with diferent email address and want to be able to log in on this account with provider who has diferent email address for example.
When using Firebase Auth, should I allow users to change their email address if they originally authenticated with Google?
How would I then handle this, when the user will not have a password and will not be able to log in with this new email address but will have to use the Sign In With Google option and log in with their original google email address.
You can link multiple authentication providers to one account - see the docs here.
This way, they can choose to sign in any of the linked providers on another device or on the original device (e.g. after they've deleted and re-installed the application).
I don't want to authenticate the user via their phone number that I have already done by using their email id and password. I just want to confirm that they are entering a valid phone number by sending them an OTP and verifying it. All the solutions that I have looked up go on to straight up authenticate the user. I am using firestore as my database.
Firebase allows you to link multiple authentication methods. You can find more details at https://firebase.google.com/docs/auth/web/account-linking
So, once the user is authenticated with email/password, initiate phone number authentication. When you get AuthCredential link it to current firebase user as mentioned in above link.
Other solutions would be to use external SMS gateway like twilio and doing phone number verification on your own. Which isn't required for your use case. In case you still want to try this, there is a free SMS gateway (which uses your own mobile number to send SMS) at https://www.sg.yagnyam.in/.
I've created an account in Firebase using phone authentication. However, from the documentation, it mention that:
If you use phone number based sign-in in your app, you should offer it
alongside more secure sign-in methods, and inform users of the
security tradeoffs of using phone number sign-in
I couldn't find a field to inject the password into the users database.
Should I enable the password/email sign in method? Is there any documentation to refer to?
I added email and password using:
createUserWithEmail:email:password:completion:
2 accounts are created:
I should rephrase my question to:
If the user logout, when they sign in again should they use the phone number, or email and password?
This is what it says in the documentation:
Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.
If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.
So all it means is that it is better to use another method with it, like email/password method.
When you enable that, then the user can create an account using his email, and you do not need the password, only the user id after he creates an account.
more info here:
https://firebase.google.com/docs/auth/ios/password-auth
Base on #Peter Haddad answer:
Updated the code to link the phone authenticated user and email/password authentication method.
FIRAuthCredential *credential =
[FIREmailAuthProvider credentialWithEmail:userEmail
password:userPassword];
[[FIRAuth auth]
.currentUser linkWithCredential:credential
completion:^(FIRUser *_Nullable user, NSError *_Nullable error) {
// ...
FIRUser *tmpUser = user;
}];
You should see these in the console (with only one row with 2 authentication type instead of 2 rows) :
I'm developing an MVC4/Razor site for which the client requested the ability for users to be able to sign in with Facebook/Google accounts. Fortunately, this is fairly straightforward using Forms authentication.
However, I'm faced with the issue of: what if the user's email address which is returned by the provider matches an existing username?
For example, tim#rocketeerconsulting.com previously exists as a native account. For whatever reason, the user wants to use Facebook to login. Facebook returns that tim#rocketeerconsulting is the user's email address. If the user attempts to create an account using that information, MVC4 will state that the account already exists.
There are a few concerns:
Should users be allowed to merge accounts if an email address provided by an OAuth provider matches an existing account?
This presents a potential security risk. Can I rely on the OAuth provider to confirm that the address is valid? If not, a malicious user can create a Facebook account and then gain access to another user's account.
How should such a thing be implemented, if at all?
I recognize there is a similar question here, but my question pertains specifically to the context of Forms auth in MVC4.
You are right: it's easy to impersonate this way
Indeed, to add more to the problem, not all the OAuth providers give you the user email address (LinedId).
Every OAuth provider use an email address for initial validation, however, the user can have more than one, indeed some encurages you have them as backup.
So the email is not a good 'key' to identify the user.
Probably your solution will be to have a table with your own internal id and the relate this to the OAuth provider unique user identification: some use the email address, others screen name or similar.
This will allow the user to have more than one OAuth validator on your site.
I implemented this with: Linkedin, Twitter, Amazon, Google+, Microsoft and Facebook. Additionaly, our users can use their domain account to login, but this is another story...